Different signed serial numbers

Mark Andrews marka at isc.org
Thu Sep 25 00:34:01 UTC 2025 


> On 24 Sep 2025, at 19:36, Alessandro Vesely <vesely at tana.it> wrote:
> 
> On Wed 24/Sep/2025 08:25:40 +0200 Nick Tait wrote:
>> On 24/09/2025 05:42, Alessandro Vesely wrote:
>>> On Tue 23/Sep/2025 01:55:51 +0200 Mark Andrews wrote:
>>>> When checking zone serials for consistency all the above needs to be taken into account.  The scripts work when you query the correct instance of the zone when using views and when there is not an inline signer on the secondary.
>>> 
>>> The script I ran just issues a few queries using Python's dns.resolver.  I don't see how it could check for consistency (or determine that some resolvers use different views).
>> 
>> The tool you're using might be looking at NS records and then querying the authoritative servers directly, possibly in addition to the asking the configured resolver?
> 
> 
> The script is https://github.com/hannob/alwaysdns.  It is charmingly simple in its downloading and comparing all SOA records.  I assume signed serials have definitely disqualified this synchronization checking technique.  Are there any alternatives?

Using inline-signing is a *choice*.  Named will happily sign a zone without using it.  It is
there for those that want to continue to use a text editor for updating the zone content.  One
can choose not to use it and to use rndc freeze/thaw when updating the zone file (not recommended)
or to use nsupdate to update the zone content (recommended).  Yes, you have to learn how to use a
new tool.  It’s not particularly hard.

>> (What do the internal zone file NS records point to? And when you "copy the (edited) internal zone file to the public one, replacing things like NATted addresses", are you also updating those?)
> 
> 
> This is an old bash script I've been tinkering with for years.  Internal and public zones live in two parallel directories.  For each internal zone file it generates the public copy on a temporary file using sed.  If that temporary is different from the current one, all .jbk, .signed, .signed.jnl of that zone are marked for deletion.  If there are any files so marked at the end, named is stopped, the files are removed, and named is restarted.  The script doesn't check the serial numbers.
> 
> 
> Best
> Ale
> -- 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list