[Opendnssec-develop] signed serial > unsigned serial?

Siôn Lloyd sion at nominet.org.uk
Tue Sep 10 13:58:04 UTC 2013


What is the use-case? So long as the serial in the published zone is
always increasing then we are okay surely...

Sion

On 10/09/13 14:01, Matthijs Mekking wrote:
> Should the signed serial always be higher than the unsigned serial?
>
> I have written my thoughts down here:
>
>   https://issues.opendnssec.org/browse/OPENDNSSEC-446
>
> As a reaction to the report SUPPORT-73. My initial thoughts:
>
> Should we always have the signed serial to be higher than the unsigned
> serial? We now only do that if the signer has no state about the zone
> (eg "first run").
>
> In case of keep: no.
> In case of unixtime: I would prefer to use unixtime if possible.
> In case of datecounter: I would prefer to use datecounter if possible.
> In case of counter: We could consider this.
>
> But that will only happen if the signer reads the unsigned zone, as we
> only read the unsigned zone if the operator specifically tells us to do
> with "ods-signer sign <zone>" (or in case of DNS adapters, the master
> gives us a NOTIFY, or the REFRESH/RETRY timer has triggered).
>
> So in case of a regular re-sign, we cannot satisfy this requirement.
>
> Take this as a starting point of the discussion and I like your thoughts
> on this, whether we should accept this feature request or stick to the
> current behavior.
>
> Best regards,
>   Matthijs
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop




More information about the Opendnssec-develop mailing list