<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 14 June 2018 at 06:27, Axel Rau <span dir="ltr"><<a href="mailto:Axel.Rau@chaos1.de" target="_blank">Axel.Rau@chaos1.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><span class=""><br><div><blockquote type="cite"><div>Am 07.06.2018 um 13:36 schrieb Axel Rau <<a href="mailto:Axel.Rau@chaos1.de" target="_blank">Axel.Rau@chaos1.de</a>>:</div><br class="m_3826892641316732234Apple-interchange-newline"><div><br style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">occasionally named 9.11.3 fails to increment SOA serial like here:</span><br style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span class="m_3826892641316732234Apple-tab-span" style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:pre-wrap;word-spacing:0px"> </span><span style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">file: 2018060605 dns: 2018060604</span><br style="font-family:Menlo-Regular;font-size:11px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"></div></blockquote></div><div><br></div></span>It just happened again. An included zone file has been changed from 2 TLSA RRs to one:<div><div>- - -</div><div>_443._<a href="http://tcp.git.nussberg.de" target="_blank">tcp.git.nussberg.de</a>. 3600 IN TLSA 3 0 1 DAE0AC343A6694DEAF0BAB42FC8A6B<wbr>1F82E42799654BD667B458DC91655C<wbr>6AB4</div><div>- - -</div><div>After reload no TLSAs are picked up by the server:</div><div>- - -</div><div style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;background-color:rgb(255,255,255)"><span style="font-variant-ligatures:no-common-ligatures">[hermes:local/etc/rc.d] root# dig AXFR <a href="http://nussberg.de" target="_blank">nussberg.de</a>. @localhost | grep TLSA</span></div><div style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;background-color:rgb(255,255,255)"><span style="font-variant-ligatures:no-common-ligatures">[hermes:local/etc/rc.d] root#</span></div></div></div></blockquote><div><br></div><div>This now sounds very different from the original report.  Are you saying that the zone started with two TLSA records, you changed it to have only one, reloaded the zone, but then none were present?</div><div><br></div><div>That's a very different problem from just not picking up a zone update.</div><div><br></div><div>Have you checked the logs for errors during zone loading?  </div></div></div></div>