[Dnssec-deployment] SOA serial number changes on resigning thoughts

Florian Weimer fweimer at bfk.de
Thu Feb 3 07:05:14 EST 2011

* Mark Andrews:

> In message <82hbcls8e5.fsf at mid.bfk.de>, Florian Weimer writes:
>> * Jan-Piet Mens:
>> > Would it be possible to, say, (optionally) insert a new TXT RR (along Jim=
>> 's
>> > idea), containing the original serial received by the signer?
>> The slaves could just check the RRSIGs on the SOA record for changes,
>> in addition to the serial, and the signer could make sure that the SOA
>> record is resigned as well if any signature changes.  If you follow
>> this protocol, no additional zone contents is required.
> Only if you want to AXFR the zone every time.  IXFR needs the serial to
> be sent.

I'm not sure if this is an issue in Bert's case.  If you resign from
scratch, at least three quarters of the RRsets change anyway, so IXFR
is not very effective.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the Dnssec-deployment mailing list