[Dnssec-deployment] SOA serial number changes on resigning thoughts
Jim Reid
jim at rfc1035.com
Thu Feb 3 05:10:14 EST 2011
On 3 Feb 2011, at 09:55, bert hubert wrote:
> In short, has anyone thought up the very best way to solve the
> problem of
> how to tell your slaves that you have resigned in the case where you
> do not
> have the liberty to stomp over the unsigned zone and update its serial
> number.
Bert, I understand the question but can't make sense of it. When a
zone is re-signed, its contents change (if only to change the dates on
the RRSIGs). That implies the SOA serial number changes. Also, when a
zone is signed its unsigned version is by definition no longer
definitive even if it does provide essential input to the signer. So
any meta information in that unsigned zone (SOA serial, comments, etc)
has no relevance to what the DNS publishes in the signed zone.
What's the actual issue here? Why does someone care if the signed,
published zone has a different version from the unsigned and
presumably unpublished version?
It's easy enough to put a TXT record of some sort into the zone for
administrative or maintenance purposes. I've been putting the RCS
version string as the RDATA for one of these at the apex of my zones
for almost 20 years. Old habits die hard... :-)
More information about the Dnssec-deployment
mailing list