[Dnssec-deployment] SOA serial number changes on resigning thoughts
Florian Weimer
fweimer at bfk.de
Thu Feb 3 07:05:14 EST 2011
* Mark Andrews:
> In message <82hbcls8e5.fsf at mid.bfk.de>, Florian Weimer writes:
>> * Jan-Piet Mens:
>>
>> > Would it be possible to, say, (optionally) insert a new TXT RR (along Jim=
>> 's
>> > idea), containing the original serial received by the signer?
>>
>> The slaves could just check the RRSIGs on the SOA record for changes,
>> in addition to the serial, and the signer could make sure that the SOA
>> record is resigned as well if any signature changes. If you follow
>> this protocol, no additional zone contents is required.
>
> Only if you want to AXFR the zone every time. IXFR needs the serial to
> be sent.
I'm not sure if this is an issue in Bert's case. If you resign from
scratch, at least three quarters of the RRsets change anyway, so IXFR
is not very effective.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Dnssec-deployment
mailing list