[Dnssec-deployment] SOA serial number changes on resigning thoughts
Jaap Akkerhuis
jaap at NLnetLabs.nl
Thu Feb 3 06:32:05 EST 2011
On Thu, Feb 03, 2011 at 10:46:26AM +0000, Florian Weimer wrote:
> > Would it be possible to, say, (optionally) insert a new TXT RR (along J
im's
> > idea), containing the original serial received by the signer?
>
> The slaves could just check the RRSIGs on the SOA record for changes,
> in addition to the serial, and the signer could make sure that the SOA
> record is resigned as well if any signature changes. If you follow
> this protocol, no additional zone contents is required.
I don't get this. If anything in the zone changes, the serial needs
to be updated. If you a bit in the zone, the serial needs to be
updated.
This discussions should probly take place in DNSOP or DNSEXT.
jaap
More information about the Dnssec-deployment
mailing list