[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r3650 - in branches/OpenDNSSEC-1.1: . signer/signer_engine

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Aug 5 14:34:15 CEST 2010


Author: matthijs
Date: 2010-08-05 14:34:15 +0200 (Thu, 05 Aug 2010)
New Revision: 3650

Modified:
   branches/OpenDNSSEC-1.1/NEWS
   branches/OpenDNSSEC-1.1/signer/signer_engine/Zone.py
Log:
trac #165 



Modified: branches/OpenDNSSEC-1.1/NEWS
===================================================================
--- branches/OpenDNSSEC-1.1/NEWS	2010-08-05 12:24:46 UTC (rev 3649)
+++ branches/OpenDNSSEC-1.1/NEWS	2010-08-05 12:34:15 UTC (rev 3650)
@@ -3,10 +3,15 @@
 OpenDNSSEC 1.1 branch
 
 * Dnsruby 1.48 now required (for correct zone parsing)
+* ldns 1.6.6 is required to fix the zone fetcher bug
 
 Bugfixes:
 * ods-control stop did not stopped zone fetcher (bug was introduced in 1.1.0)
 * Auditor correctly handles chains of empty nonterminals
+* Zone fetcher can block zone transfers if AXFR once failed. This is a bug
+  in ldns versions 1.6.5 and lower. See KNOWN_ISSUES for more information.
+* Bugreport #165: Ensure Output SOA serial is always bigger than Input SOA
+  serial.
 
 OpenDNSSEC 1.1.1 - 2010-07-08
 

Modified: branches/OpenDNSSEC-1.1/signer/signer_engine/Zone.py
===================================================================
--- branches/OpenDNSSEC-1.1/signer/signer_engine/Zone.py	2010-08-05 12:24:46 UTC (rev 3649)
+++ branches/OpenDNSSEC-1.1/signer/signer_engine/Zone.py	2010-08-05 12:34:15 UTC (rev 3650)
@@ -530,9 +530,19 @@
            and 'keep'."""
         soa_serial = None
         serial_file = self.get_zone_tmp_filename(".serial")
+        # RvR: in the case where you are switching from serving
+        #      a zone directly to bump-in-the-wire mode, it is
+        #      a necessity to take the serial from the input zone
+        #      if that is larger than the last used serial. This
+        #      ensures that downstream public primaries/secondaries
+        #      will never miss an update; this behaviour has been
+        #      implemented below (old behaviour was to always take
+        #      the previously used serial as starting point which
+        #      was set to 0 in case of no previously available
+        #      serial)
         if self.zone_config.soa_serial == "unixtime":
             soa_serial = int(time.time())
-            prev_serial = self.get_output_serial()
+            prev_serial = max(self.get_output_serial(), self.get_input_serial())
             if self.compare_serial(prev_serial, soa_serial) <= 0:
                 soa_serial = prev_serial + 1
             update_serial = soa_serial - prev_serial
@@ -540,7 +550,7 @@
             soa_serial = self.get_input_serial()
             # it must be larger than the output serial!
             # otherwise updates won't be accepted
-            prev_serial = self.get_output_serial()
+            prev_serial = max(self.get_output_serial(), self.get_input_serial())
             if self.compare_serial(prev_serial, soa_serial) <= 0:
                 soa_serial = prev_serial + 1
             update_serial = soa_serial - prev_serial
@@ -548,7 +558,7 @@
             # if current output serial >= <date>00,
             # just increment by one
             soa_serial = int(time.strftime("%Y%m%d")) * 100
-            prev_serial = self.get_output_serial()
+            prev_serial = max(self.get_output_serial(), self.get_input_serial())
             if self.compare_serial(prev_serial, soa_serial) <= 0:
                 soa_serial = prev_serial + 1
             update_serial = soa_serial - prev_serial




More information about the Opendnssec-commits mailing list