[Dnssec-deployment] SOA serial number changes on resigning thoughts
jpmens+dnssecdeployment at gmail.com
Thu Feb 3 05:41:32 EST 2011
> When a zone is
> re-signed, its contents change (if only to change the dates on the RRSIGs).
> That implies the SOA serial number changes.
>From a monitoring perspective, i.e. checking that serial numbers on the master,
the signing proxy, and the final slaves are in sync, it would be advantageous to
not modify the serial number, but as there's no other way to instruct a slave
of the changes to the zone, the serial number changeing will have to be done.
Would it be possible to, say, (optionally) insert a new TXT RR (along Jim's
idea), containing the original serial received by the signer?
More information about the Dnssec-deployment