[Opendnssec-develop] Re: [OpenDNSSEC] #31: keepcounter serial option
OpenDNSSEC
owner-dnssec-trac at kirei.se
Wed Sep 30 12:03:58 UTC 2009
#31: keepcounter serial option
----------------------------------------+-----------------------------------
Reporter: opendnssec.simon at arlott.org | Owner: matthijs
Type: enhancement | Status: closed
Priority: minor | Component: Signer
Version: trunk | Resolution: fixed
Keywords: |
----------------------------------------+-----------------------------------
Comment(by opendnssec.simon at arlott.org):
I'm only using the keepcounter version, so it won't affect me, but counter
is distinct from keepcounter.
If it's not used carefully (e.g. input serial stays at "1" forever), then
eventually it will change meaning from being behind the output serial to
being ahead of the output serial. When this happens, the output serial
will jump forward the maximum possible amount and any slave nameservers
that miss that update will become out of sync.
If the input serial is always 1, then the output serial will be:
2147483648 (after 1), 2147483649 (equal to 1), 2147483650 (before 1), 1,
2, 3.
If a slave nameserver misses the updates when this happens, it'll look
like the master has an old serial.
The behaviour of "keepcounter" requires that the input and output serials
will not get too far out of sync. If the zone is going to change
frequently (perhaps because it has many thousands of RRs that will need to
be resigned) and the input serial is rarely changed, or is changed at a
different rate from the output serial (input+1 for every new/changed RR
will not be the same as the output+1 for every re-signed RR), then this
could happen... but it does require over 2 billion re-signings of the
zone.
The correct serial in this case would of course be "unixtime", but that
may not be obvious, and a pure "count + 1 on each change" might be
desired, which is no longer possible.
--
Ticket URL: <http://trac.opendnssec.org/ticket/31#comment:5>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list