reply: [Opendnssec-develop] signed serial > unsigned serial?

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Oct 21 11:24:37 UTC 2013 

On 09/11/2013 09:15 AM, wangguodong wrote:
> Hi,
> 
> I think there is a relationship between the signed zone and unsigned zone. 
> 
> Because in the NEWG TLD applicant Guidebook, the registry's zone file should
> be accessed by a third party.( AGB SPECIFICATION 4,P43)

Is this requirement for the unsigned zone file or the signed zone file?

If it is for the unsigned zone file, there are many more requirements
this guidebook specifies which OpenDNSSEC also cannot guarantee. I
believe the guidebook talks about the zone file that gets loaded into
the name servers.


> 	   
> So if a third party get an unsigned zone, the unsigned zone's serial is
> higher than the current signed zone(can be dug from the internet), this may
> be a problem.
> 
> So as this, I think it's better to ensure the signed zone's serial higher
> than the unsigned zone.

These things can be achieved with operational actions, right? For
example, use <SOA><Serial>keep</Serial></SOA> and maintain serial
management outside of OpenDNSSEC.

Best regards,
  Matthijs


> 
> 
> Warren
> 
> -----邮件原件-----
> 发件人: opendnssec-develop-bounces at lists.opendnssec.org
> [mailto:opendnssec-develop-bounces at lists.opendnssec.org] 代表 Yuri Schaeffer
> 发送时间: 2013年9月10日 22:38
> 收件人: opendnssec-develop at lists.opendnssec.org
> 主题: Re: [Opendnssec-develop] signed serial > unsigned serial?
> 
>> Should the signed serial always be higher than the unsigned serial?
>> #OPENDNSSEC-446 #SUPPORT-73.
> 
> I do not agree with the reporter that ODS should follow the unsigned serial.
> As an admin you explicitly transfer the management responsibility to ODS.
> The way you describe it is now sounds like the sanest solution to me. The
> serial of an unpublished version of the zone is not relevant at all.
> 
> //Yuri
> 
> --
> Composed on an actual keyboard: all typos genuine.
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>

More information about the Opendnssec-develop mailing list