[Dnssec-deployment] SOA serial number changes on resigning thoughts
fweimer at bfk.de
Thu Feb 3 05:46:26 EST 2011
* Jan-Piet Mens:
> Would it be possible to, say, (optionally) insert a new TXT RR (along Jim's
> idea), containing the original serial received by the signer?
The slaves could just check the RRSIGs on the SOA record for changes,
in addition to the serial, and the signer could make sure that the SOA
record is resigned as well if any signature changes. If you follow
this protocol, no additional zone contents is required.
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Dnssec-deployment