[Opendnssec-develop] SOA serial arithmetics
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Jan 20 09:42:40 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Patrik,
This probably happens the first time the signer has to deal with the
zone. The first time a zone is loaded in OpenDNSSEC, it will internally
get the serial 0.
According to RFC 1982, section 3.1:
Serial numbers may be incremented by the addition of a positive
integer n, where n is taken from the range of integers [0 ..
(2^(SERIAL_BITS - 1) - 1)]. ...
Addition of a value outside the range is undefined.
To conclude, the behavior of adding a value larger than 2147483647
((2^31)-1) is undefined.
OpenDNSSEC checks accordingly RFC 1982 if the inbound serial is larger
than its internal serial. That's why the error message appears.
How to resolve?
1. First present the zone to OpenDNSSEC with a serial <= (2^31)-1.
Update the serial to the value you want > (2^31)-1 and run
ods-signer sign <zone>
2. I could make code that initializes a domain. If not initialized, no
serial number is known and any serial number is allowed. However, I
am not sure if this will raise less or more issues.
Best regards,
Matthijs
On 01/19/2011 01:50 PM, Patrik Wallström wrote:
> I am currently working with a number of zones that have serial numbers that are larger than 2147483647. See RFC1982 on the arithmetics. (I am using 1.2.0 for these tests.)
>
> What my experience so far is that the ods-signer does not believe those serials are larger than 0 when using the serial "keep" option. I believe this to be incorrect. And increments after those larger numbers are also supposed to be larger than the previous increment (but I have not checked this yet in ods), regardless of those serials being larger than 2147483647. First, am I correct in assuming this? I believe that this is how BIND handles zone transfers.
>
> Can somebody please take a look at this?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNOAOPAAoJEA8yVCPsQCW5XfsIAINjrxxTbXnhAmsCA6ilvz04
Rsfcn5LAaOZ9puMYVjt1qJbbxqHI+/xFFXBs3L1crYAu8zRSxXqaCwRYciHdC8Fw
DFLesIi9YPodwxG35FYpSZY47RG1wcZX1qwvFgTu0PHIiP7vlRRLtJI8qnFTxffo
zGCK1ChBklBZ5Qub4GbMKUGCeZ8Vm7TnqYWm82mhrh0LchvUMcFbsOAQzLV+OX7M
QH5KJlTlxiCgELrOYv3h3HsOIpcyb0OWv2G9lrAE7SQCVds92vz4vFYGCdl4eq6O
bhN8YDVDMR2V3Xx+vmbyl9PsX2T8vBlLOYnyJnLoYvZ1SDbRgx+7t+BAKe6UHX0=
=6eo8
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list