[Opendnssec-develop] SOA serial arithmetics

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Jan 20 09:42:40 UTC 2011

Hash: SHA1

Hi Patrik,

This probably happens the first time the signer has to deal with the
zone. The first time a zone is loaded in OpenDNSSEC, it will internally
get the serial 0.

According to RFC 1982, section 3.1:

 Serial numbers may be incremented by the addition of a positive
 integer n, where n is taken from the range of integers [0 ..
 (2^(SERIAL_BITS - 1) - 1)]. ...

 Addition of a value outside the range is undefined.

To conclude, the behavior of adding a value larger than 2147483647
((2^31)-1) is undefined.

OpenDNSSEC checks accordingly RFC 1982 if the inbound serial is larger
than its internal serial. That's why the error message appears.

How to resolve?
1. First present the zone to OpenDNSSEC with a serial <= (2^31)-1.
   Update the serial to the value you want > (2^31)-1 and run
   ods-signer sign <zone>

2. I could make code that initializes a domain. If not initialized, no
   serial number is known and any serial number is allowed. However, I
   am not sure if this will raise less or more issues.

Best regards,


On 01/19/2011 01:50 PM, Patrik Wallström wrote:
> I am currently working with a number of zones that have serial numbers that are larger than 2147483647. See RFC1982 on the arithmetics. (I am using 1.2.0 for these tests.)
> What my experience so far is that the ods-signer does not believe those serials are larger than 0 when using the serial "keep" option. I believe this to be incorrect. And increments after those larger numbers are also supposed to be larger than the previous increment (but I have not checked this yet in ods), regardless of those serials being larger than 2147483647. First, am I correct in assuming this? I believe that this is how BIND handles zone transfers.
> Can somebody please take a look at this?
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-develop mailing list