[Opendnssec-develop] SOA serial arithmetics

Patrik Wallström patrik.wallstrom at iis.se
Thu Jan 20 09:50:15 UTC 2011

On Jan 20, 2011, at 10:42 AM, Matthijs Mekking wrote:

> Hi Patrik,
> This probably happens the first time the signer has to deal with the
> zone. The first time a zone is loaded in OpenDNSSEC, it will internally
> get the serial 0.
> According to RFC 1982, section 3.1:
> Serial numbers may be incremented by the addition of a positive
> integer n, where n is taken from the range of integers [0 ..
> (2^(SERIAL_BITS - 1) - 1)]. ...
> Addition of a value outside the range is undefined.
> To conclude, the behavior of adding a value larger than 2147483647
> ((2^31)-1) is undefined.
> OpenDNSSEC checks accordingly RFC 1982 if the inbound serial is larger
> than its internal serial. That's why the error message appears.
> How to resolve?
> 1. First present the zone to OpenDNSSEC with a serial <= (2^31)-1.
>   Update the serial to the value you want > (2^31)-1 and run
>   ods-signer sign <zone>
> 2. I could make code that initializes a domain. If not initialized, no
>   serial number is known and any serial number is allowed. However, I
>   am not sure if this will raise less or more issues.

As I believe that BIND already accepts initializing with incrementing serials with serial being > 2^31-1 I think we should also consider doing a change. Maybe it will be as simple as changing the initial internal serial 0 with 2^32-1.

Yes, the behavior is unidentified, and I asked the zone editors to change the serial standard they use in order to avoid this kind of problems when changing other systems in the zone distribution path.

Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/

More information about the Opendnssec-develop mailing list