[Dnssec-deployment] SOA serial number changes on resigning thoughts
pawal at blipp.com
Fri Feb 4 04:19:12 EST 2011
Within the OpenDNSSEC project we have given this a lot of thought. There are many scenarios where you have different strategies with regards to serial numbers, the provisioning of the zone file, and what should happen when there is a new zone file.
OpenDNSSEC is an automated software that takes care of the signing. So the most common use for zones that does not change much is to have the "unixtime" or "datecounter" option which makes OpenDNSSEC take over the serial number, irregardless of what the input serial is.
Then there is the "counter" option, which consider both the input serial number, but can also make OpenDNSSEC increase the serial if needed.
And finally, for large zones which is updated at predictable intervals, there is the "keep" options. With this options, OpenDNSSEC won't touch the zone unless the serial has changed, and only then can we resign the zone. This means that the operator of the system must provide new updated zone files in order for OpenDNSSEC to output a zone with refreshed signatures.
If you have a lot of updates as you describe, maybe the "unixtime" option would be best suited as an example here.
More information about the Dnssec-deployment