Different signed serial numbers

[Alessandro Vesely]

Hi,
thanks for the explanation!

On Tue 23/Sep/2025 01:55:51 +0200 Mark Andrews wrote:
> Whenever a zone is changed the serial needs to be updated so that secondary servers know when to transfer the updated content.   When a zone is signed the updating takes place more often as RRSIG records need to be periodically updated.  If you have views the serials in each view are independent of each other unless you take steps to keep them the same. Additionally when you use inline signing the serial of the signed zone is independent of the unsigned zone as the signed zone has the periodical updates the unsigned zone doesn’t.   Additionally two inline zones using the same unsigned zone will sign zone content at different times and in different orders to each other.


I just copy the (edited) internal zone file to the public one, replacing things 
like NATted addresses.  Since I only edit the internal files, I know the 
external are in sync because they have the same (non signed) serial.


> When checking zone serials for consistency all the above needs to be taken into account.  The scripts work when you query the correct instance of the zone when using views and when there is not an inline signer on the secondary.


The script I ran just issues a few queries using Python's dns.resolver.  I 
don't see how it could check for consistency (or determine that some resolvers 
use different views).


> There is an EDNS option called ZONEVERSION the can report the underlying zone version when a zone is inline signed.   I’m not aware of any zone consistency scripts using that yet but they would have to be tuned on a per server basis to know which value to compare.


Hmm... I tried dig +ednsopt=19 but saw nothing resembling additional data. 
Even MSG SIZE  rcvd is the same as without the option.  Does it have to be enabled?


Best
Ale
--