[Opendnssec-develop] signed serial > unsigned serial?

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Sep 10 13:01:35 UTC 2013

Should the signed serial always be higher than the unsigned serial?

I have written my thoughts down here:


As a reaction to the report SUPPORT-73. My initial thoughts:

Should we always have the signed serial to be higher than the unsigned
serial? We now only do that if the signer has no state about the zone
(eg "first run").

In case of keep: no.
In case of unixtime: I would prefer to use unixtime if possible.
In case of datecounter: I would prefer to use datecounter if possible.
In case of counter: We could consider this.

But that will only happen if the signer reads the unsigned zone, as we
only read the unsigned zone if the operator specifically tells us to do
with "ods-signer sign <zone>" (or in case of DNS adapters, the master
gives us a NOTIFY, or the REFRESH/RETRY timer has triggered).

So in case of a regular re-sign, we cannot satisfy this requirement.

Take this as a starting point of the discussion and I like your thoughts
on this, whether we should accept this feature request or stick to the
current behavior.

Best regards,

More information about the Opendnssec-develop mailing list