Different signed serial numbers
Mark Andrews
marka at isc.org
Mon Sep 22 23:55:51 UTC 2025
Whenever a zone is changed the serial needs to be updated so that secondary servers know when to transfer the updated content. When a zone is signed the updating takes place more often as RRSIG records need to be periodically updated. If you have views the serials in each view are independent of each other unless you take steps to keep them the same. Additionally when you use inline signing the serial of the signed zone is independent of the unsigned zone as the signed zone has the periodical updates the unsigned zone doesn’t. Additionally two inline zones using the same unsigned zone will sign zone content at different times and in different orders to each other.
When checking zone serials for consistency all the above needs to be taken into account. The scripts work when you query the correct instance of the zone when using views and when there is not an inline signer on the secondary.
There is an EDNS option called ZONEVERSION the can report the underlying zone version when a zone is inline signed. I’m not aware of any zone consistency scripts using that yet but they would have to be tuned on a per server basis to know which value to compare.
--
Mark Andrews
> On 23 Sep 2025, at 04:32, Alessandro Vesely <vesely at tana.it> wrote:
>
> Hi,
>
> I ran a script to check some DNS issues and it diagnosed "ERROR: SOA records are not consistent across nameservers". The reason seems to be because I use different views for internal vs external queries. I have external secondary servers, so querying them (e.g. dig @45.33.33.148 tana.it soa) can give different results.
>
> rndc zonestatus says the following:
>
> 598-north:bind# rndc zonestatus tana.it in internal
> name: tana.it
> type: primary
> files: /etc/bind/int/tana.it
> serial: 2025060901
> signed serial: 2025060981
> nodes: 102
> last loaded: Mon, 09 Jun 2025 11:26:50 GMT
> secure: yes
> inline signing: yes
> key maintenance: automatic
> next key event: Mon, 22 Sep 2025 18:54:55 GMT
> next resign node: i-cname.tana.it/CNAME
> next resign time: Fri, 10 Oct 2025 23:20:17 GMT
> dynamic: no
> reconfigurable via modzone: no
>
> And
>
> 599-north:bind# rndc zonestatus tana.it in external
> name: tana.it
> type: primary
> files: /etc/bind/pub/tana.it
> serial: 2025060901
> signed serial: 2025060980
> nodes: 101
> last loaded: Mon, 09 Jun 2025 11:27:00 GMT
> secure: yes
> inline signing: yes
> key maintenance: automatic
> next key event: Mon, 22 Sep 2025 18:54:55 GMT
> next resign node: k-cname.tana.it/A
> next resign time: Fri, 10 Oct 2025 23:24:42 GMT
> dynamic: no
> reconfigurable via modzone: no
>
> Why signed serials differ even if serials agree?
>
> Are my views out of sync? (next resign nodes differ)
>
> Are secondary servers out of sync?
>
> Is the script incorrect?
>
>
> TIA for any clue
>
> Best
> Ale
> --
>
>
>
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
More information about the bind-users
mailing list