[Dnssec-deployment] SOA serial number changes on resigning thoughts
jaap at NLnetLabs.nl
Thu Feb 3 06:32:05 EST 2011
On Thu, Feb 03, 2011 at 10:46:26AM +0000, Florian Weimer wrote:
> > Would it be possible to, say, (optionally) insert a new TXT RR (along J
> > idea), containing the original serial received by the signer?
> The slaves could just check the RRSIGs on the SOA record for changes,
> in addition to the serial, and the signer could make sure that the SOA
> record is resigned as well if any signature changes. If you follow
> this protocol, no additional zone contents is required.
I don't get this. If anything in the zone changes, the serial needs
to be updated. If you a bit in the zone, the serial needs to be
This discussions should probly take place in DNSOP or DNSEXT.
More information about the Dnssec-deployment