[Opendnssec-develop] Re: [OpenDNSSEC] #31: keepcounter serial option

OpenDNSSEC owner-dnssec-trac at kirei.se
Wed Sep 30 12:03:58 UTC 2009

#31: keepcounter serial option
Reporter:  opendnssec.simon at arlott.org  |        Owner:  matthijs
    Type:  enhancement                  |       Status:  closed  
Priority:  minor                        |    Component:  Signer  
 Version:  trunk                        |   Resolution:  fixed   
Keywords:                               |  

Comment(by opendnssec.simon at arlott.org):

 I'm only using the keepcounter version, so it won't affect me, but counter
 is distinct from keepcounter.

 If it's not used carefully (e.g. input serial stays at "1" forever), then
 eventually it will change meaning from being behind the output serial to
 being ahead of the output serial. When this happens, the output serial
 will jump forward the maximum possible amount and any slave nameservers
 that miss that update will become out of sync.

 If the input serial is always 1, then the output serial will be:
 2147483648 (after 1), 2147483649 (equal to 1), 2147483650 (before 1), 1,
 2, 3.

 If a slave nameserver misses the updates when this happens, it'll look
 like the master has an old serial.

 The behaviour of "keepcounter" requires that the input and output serials
 will not get too far out of sync. If the zone is going to change
 frequently (perhaps because it has many thousands of RRs that will need to
 be resigned) and the input serial is rarely changed, or is changed at a
 different rate from the output serial (input+1 for every new/changed RR
 will not be the same as the output+1 for every re-signed RR), then this
 could happen... but it does require over 2 billion re-signings of the

 The correct serial in this case would of course be "unixtime", but that
 may not be obvious, and a pure "count + 1 on each change" might be
 desired, which is no longer possible.

Ticket URL: <http://trac.opendnssec.org/ticket/31#comment:5>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list