[Opendnssec-develop] SOA serial arithmetics
Patrik Wallström
patrik.wallstrom at iis.se
Thu Jan 20 09:50:15 UTC 2011
On Jan 20, 2011, at 10:42 AM, Matthijs Mekking wrote:
> Hi Patrik,
>
> This probably happens the first time the signer has to deal with the
> zone. The first time a zone is loaded in OpenDNSSEC, it will internally
> get the serial 0.
>
> According to RFC 1982, section 3.1:
>
> Serial numbers may be incremented by the addition of a positive
> integer n, where n is taken from the range of integers [0 ..
> (2^(SERIAL_BITS - 1) - 1)]. ...
>
> Addition of a value outside the range is undefined.
>
> To conclude, the behavior of adding a value larger than 2147483647
> ((2^31)-1) is undefined.
>
> OpenDNSSEC checks accordingly RFC 1982 if the inbound serial is larger
> than its internal serial. That's why the error message appears.
>
> How to resolve?
> 1. First present the zone to OpenDNSSEC with a serial <= (2^31)-1.
> Update the serial to the value you want > (2^31)-1 and run
> ods-signer sign <zone>
>
> 2. I could make code that initializes a domain. If not initialized, no
> serial number is known and any serial number is allowed. However, I
> am not sure if this will raise less or more issues.
As I believe that BIND already accepts initializing with incrementing serials with serial being > 2^31-1 I think we should also consider doing a change. Maybe it will be as simple as changing the initial internal serial 0 with 2^32-1.
Yes, the behavior is unidentified, and I asked the zone editors to change the serial standard they use in order to avoid this kind of problems when changing other systems in the zone distribution path.
--
Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/
More information about the Opendnssec-develop
mailing list