[Dnssec-deployment] SOA serial number changes on resigning thoughts

bert hubert bert.hubert at netherlabs.nl
Thu Feb 3 04:55:01 EST 2011 

Hi everybody,

I hope this is appropriate for dnssec-deployment, otherwise dns-operations
might be a better place.

In short, has anyone thought up the very best way to solve the problem of
how to tell your slaves that you have resigned in the case where you do not
have the liberty to stomp over the unsigned zone and update its serial
number.

This is for example true in the following setup:

Unsigned master -> notify/zone -> SIGNER -> notify/zone signed slave

For 'SIGNER' you can read OpenDNSSEC, Xelerance (I think) or PowerDNSSEC.

My original thoughts are below. In addition, a 'stateful' solution is of
course possible where a wholly new serial number is invented.

Your ideas/experiences are most welcome!

	Bert

On Thu, Feb 03, 2011 at 08:44:08AM +0100, Christof Meerwald wrote:
> Is there any better solution than having to run a script each week on
> the master server to update the SOA serial number and reload the zone
> (so the slave gets notified of the change and does an AXFR)?

This will obviously have to be automated, but we're not sure how. The more
general case is where PowerDNS operates like OpenDNSSEC, as a 'signing
proxy'. In this case there is an 'original serial' from the unsigned master,
which tells us when the original changed.

Secondly, there is the 'signed serial' which will have to change once a week
at least, but also whenever the 'original serial' changes.

In your case, where PowerDNS merely does the signing, things are a bit
simpler, but stil not trivial. 

We obviously need to come up with something smart! Thinking out loud a bit.

A problem is that the SOA serial is 32 bits, and often filled out like this:

4294967296
2011020300 .. 2011020301 .. 2011020302 etc

This means that if we do the 'obvious' and leave the first six digits alone,
we can only do 99 increments, which is not enough by a long shot.

However, '20110203' only encodes a day number, and there have been 15008
days since the beginning of the epoch. What we could do is convert a
'date-formed SERIAL' to a more compact form, and leave loads of room for
autincrementing the serial.

So 2011020312 ('the 12th increment on the 3rd of February 2011') could be
converted to:
FFFFFFFF
3AA00Cnn

This still only gives us 256 increments before things turn nasty.

Ideas?

I prefer a solution where we don't actually increment the serial in the
database but overlay it with something that autoincrements ('weeks since
january first 2011').

	Bert
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


----- End forwarded message -----

More information about the Dnssec-deployment mailing list