[Dnssec-deployment] SOA serial number changes on resigning thoughts

[Mark Andrews]

In message <82r5bpqq6d.fsf at mid.bfk.de>, Florian Weimer writes:
> * Mark Andrews:
> 
> > In message <82hbcls8e5.fsf at mid.bfk.de>, Florian Weimer writes:
> >> * Jan-Piet Mens:
> >>=20
> >> > Would it be possible to, say, (optionally) insert a new TXT RR (along =
> Jim=3D
> >> 's
> >> > idea), containing the original serial received by the signer?
> >>=20
> >> The slaves could just check the RRSIGs on the SOA record for changes,
> >> in addition to the serial, and the signer could make sure that the SOA
> >> record is resigned as well if any signature changes.  If you follow
> >> this protocol, no additional zone contents is required.
> >
> > Only if you want to AXFR the zone every time.  IXFR needs the serial to
> > be sent.
> 
> I'm not sure if this is an issue in Bert's case.  If you resign from
> scratch, at least three quarters of the RRsets change anyway, so IXFR
> is not very effective.

That assumes you don't keep the old signature around and don't reuse
those that don't need to be updated.  If you update a signature
every 10 days and the zone is updated once a day IXFR is 20% of a
AXFR.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org