[Dnssec-deployment] SOA serial number changes on resigning thoughts
Mark Andrews
marka at isc.org
Thu Feb 3 06:12:26 EST 2011
In message <82hbcls8e5.fsf at mid.bfk.de>, Florian Weimer writes:
> * Jan-Piet Mens:
>
> > Would it be possible to, say, (optionally) insert a new TXT RR (along Jim=
> 's
> > idea), containing the original serial received by the signer?
>
> The slaves could just check the RRSIGs on the SOA record for changes,
> in addition to the serial, and the signer could make sure that the SOA
> record is resigned as well if any signature changes. If you follow
> this protocol, no additional zone contents is required.
Only if you want to AXFR the zone every time. IXFR needs the serial to
be sent.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list