[Opendnssec-develop] [OpenDNSSEC] #133: Issues with SOA serial "keep" mode

OpenDNSSEC owner-dnssec-trac at kirei.se
Wed May 12 17:45:47 UTC 2010

#133: Issues with SOA serial "keep" mode
Reporter:  Anirban Mukherjee <amukherj@…>          |       Owner:  matthijs
    Type:  defect                                  |      Status:  new     
Priority:  major                                   |   Component:  Signer  
 Version:  trunk                                   |    Keywords:          
 1) If a sign zone is issued without an increment to the serial number, the
 error message is of the form "Cannot keep input serial(<x>), output serial
 is too large" and not "Serial setting is set to 'keep', but input serial
 has not increased" as one would ideally expect.

 This seems to be due to the fact that negative and zero return values from
 compare_serial are being treated equivalently by perform_action in
 signer/signer_engine/Zone.py and both result in the first error message.

 2) When the zone is being signed the very first time '''and''' the serial
 number in the unsigned file is greater than {{{2^31-1}}}, the same error
 message ""Cannot keep input serial(<x>), output serial 0 is too large" is
 seen and the signing is aborted.

 I think this is caused by the fact that a .serial file is still not
 present in the working directory (default /var/opendnssec/tmp) and
 get_output_serial in Zone.py returns zero when a .serial file is not
 present. In sequence number arithmetic , zero is greater than any
 x>{{{2^31-1}}}. So compare_serial reports that the output serial of zero
 is larger than the input serial x from the unsigned file.
 A crude way to work around this is to make compare_serial say that any
 serial number is greater than a serial number of zero. But then zero
 cannot be used as a valid serial number.

 I have attached a modified Zone.py.modif and Zone.py.orig whose diff may
 be used to explain the above. There might be other places like find_serial
 that need to be considered similarly.

Ticket URL: <http://trac.opendnssec.org/ticket/133>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list