[Opendnssec-develop] signed serial > unsigned serial?
matthijs at nlnetlabs.nl
Tue Sep 10 16:02:47 CEST 2013
The use case is described in SUPPORT-73. Basically it is part of a check
before publishing, that requires the outgoing serial to be equal or
higher than the incoming serial. Quoting:
"So the serial of signed file must be higher than or equal to that in
unsigned zone, to ensure the signed file which we got is for the newest
On 09/10/2013 03:58 PM, Siôn Lloyd wrote:
> What is the use-case? So long as the serial in the published zone is
> always increasing then we are okay surely...
> On 10/09/13 14:01, Matthijs Mekking wrote:
>> Should the signed serial always be higher than the unsigned serial?
>> I have written my thoughts down here:
>> As a reaction to the report SUPPORT-73. My initial thoughts:
>> Should we always have the signed serial to be higher than the unsigned
>> serial? We now only do that if the signer has no state about the zone
>> (eg "first run").
>> In case of keep: no.
>> In case of unixtime: I would prefer to use unixtime if possible.
>> In case of datecounter: I would prefer to use datecounter if possible.
>> In case of counter: We could consider this.
>> But that will only happen if the signer reads the unsigned zone, as we
>> only read the unsigned zone if the operator specifically tells us to do
>> with "ods-signer sign <zone>" (or in case of DNS adapters, the master
>> gives us a NOTIFY, or the REFRESH/RETRY timer has triggered).
>> So in case of a regular re-sign, we cannot satisfy this requirement.
>> Take this as a starting point of the discussion and I like your thoughts
>> on this, whether we should accept this feature request or stick to the
>> current behavior.
>> Best regards,
>> Opendnssec-develop mailing list
>> Opendnssec-develop at lists.opendnssec.org
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
More information about the Opendnssec-develop