[Dnssec-deployment] SOA serial number changes on resigning thoughts
marka at isc.org
Thu Feb 3 19:41:21 EST 2011
In message <82r5bpqq6d.fsf at mid.bfk.de>, Florian Weimer writes:
> * Mark Andrews:
> > In message <82hbcls8e5.fsf at mid.bfk.de>, Florian Weimer writes:
> >> * Jan-Piet Mens:
> >> > Would it be possible to, say, (optionally) insert a new TXT RR (along =
> >> 's
> >> > idea), containing the original serial received by the signer?
> >> The slaves could just check the RRSIGs on the SOA record for changes,
> >> in addition to the serial, and the signer could make sure that the SOA
> >> record is resigned as well if any signature changes. If you follow
> >> this protocol, no additional zone contents is required.
> > Only if you want to AXFR the zone every time. IXFR needs the serial to
> > be sent.
> I'm not sure if this is an issue in Bert's case. If you resign from
> scratch, at least three quarters of the RRsets change anyway, so IXFR
> is not very effective.
That assumes you don't keep the old signature around and don't reuse
those that don't need to be updated. If you update a signature
every 10 days and the zone is updated once a day IXFR is 20% of a
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment