[Dnssec-deployment] SOA serial number changes on resigning thoughts
bert hubert
bert.hubert at netherlabs.nl
Thu Feb 3 06:08:36 EST 2011
On Thu, Feb 03, 2011 at 10:46:26AM +0000, Florian Weimer wrote:
> > Would it be possible to, say, (optionally) insert a new TXT RR (along Jim's
> > idea), containing the original serial received by the signer?
>
> The slaves could just check the RRSIGs on the SOA record for changes,
> in addition to the serial, and the signer could make sure that the SOA
> record is resigned as well if any signature changes. If you follow
> this protocol, no additional zone contents is required.
This is great if we control the slaves of course. Which quite often we
don't. But for PowerDNS as a slave, this sounds like a great idea!
Bert
More information about the Dnssec-deployment
mailing list