[Dnssec-deployment] SOA serial number changes on resigning thoughts

Florian Weimer fweimer at bfk.de
Thu Feb 3 07:05:14 EST 2011


* Mark Andrews:

> In message <82hbcls8e5.fsf at mid.bfk.de>, Florian Weimer writes:
>> * Jan-Piet Mens:
>> 
>> > Would it be possible to, say, (optionally) insert a new TXT RR (along Jim=
>> 's
>> > idea), containing the original serial received by the signer?
>> 
>> The slaves could just check the RRSIGs on the SOA record for changes,
>> in addition to the serial, and the signer could make sure that the SOA
>> record is resigned as well if any signature changes.  If you follow
>> this protocol, no additional zone contents is required.
>
> Only if you want to AXFR the zone every time.  IXFR needs the serial to
> be sent.

I'm not sure if this is an issue in Bert's case.  If you resign from
scratch, at least three quarters of the RRsets change anyway, so IXFR
is not very effective.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


More information about the Dnssec-deployment mailing list