Thanks for your response. My intent is to accomplish exactly what you stated i.e. to create new zonefiles at regular intervals.<br><br>However, I observed a couple of things as discussed below. Would be nice if you can provide some some feedback.<br>
<br>Regards,<br>Anirban<br><br>1) If a sign zone is issued without an
increment to the serial number, the error message is of the form
"Cannot keep input serial(<x>), output serial is too large" and
not "Serial setting is set to 'keep', but input serial has not
increased" as one would ideally expect.<br>
<br>This seems to be due to the fact that negative and zero return
values from compare_serial are being treated equivalently by
perform_action in signer/signer_engine/Zone.py and both result in the
first error message.<br>
<br>2) When the zone is being signed the very first time *and* the
serial number in the unsigned file is greater than 2^31-1, the same
error message ""Cannot keep input serial(<x>), output serial 0 is
too large" is seen and the signing is aborted.<br>
<br>I think this is caused by the fact that a .serial file is still not
present in the working directory (default /var/opendnssec/tmp) and
get_output_serial in Zone.py returns zero when a .serial file is not
present. In sequence number arithmetic , zero is greater than any
x>2^31-1. So compare_serial reports that the output serial of zero
is larger than the input serial x from the unsigned file. <br>
A crude way to work around this is to make compare_serial say that any
serial number is greater than a serial number of zero. But then zero
cannot be used as a valid serial number.<br><br>I
have attached a zip file (z.zip) containing Zone.py from the 1.0.0 tar and a modified Zone.py.modif to explain the above. There might be other places like
find_serial that need to be considered similarly.<br><br><br><div class="gmail_quote">2010/5/3 Patrik Wallström <span dir="ltr"><<a href="mailto:patrik.wallstrom@iis.se">patrik.wallstrom@iis.se</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5"><br>
On May 2, 2010, at 9:25 PM, Anirban Mukherjee wrote:<br>
<br>
> Is it correct to expect the following if SOA Serial is set to "keep"<br>
> in the concerned policy ?<br>
><br>
> i) The very first time a zone is signed, the SOA serial of the signed<br>
> file will be the same as that of the unsigned file.<br>
><br>
> ii) Post the first-time signing, if a sign zone command is issued<br>
> without incrementing the serial number of the unsigned file, the<br>
> signing fails with an error saying that the serial number has not<br>
> increased i.e. an attempt to resign a zone fails unless the serial<br>
> number has been incremented.<br>
<br>
</div></div>Yes, this is correct. The purpose of the keep option is to only sign a zone if the zone has been updated as indicated by the incoming SOA serial. This is useful for a TLD for example, which creates new zonefiles with regular intervals.<br>
<font color="#888888"><br>
--<br>
Patrik Wallström<br>
Project Manager, R&D<br>
.SE (Stiftelsen för Internetinfrastruktur)<br>
E-mail: <a href="mailto:patrik.wallstrom@iis.se">patrik.wallstrom@iis.se</a><br>
Web: <a href="http://www.iis.se/" target="_blank">http://www.iis.se/</a><br>
<br>
<br>
<br>
</font></blockquote></div><br>