[Opendnssec-develop] signed serial > unsigned serial?

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Sep 10 16:02:47 CEST 2013


The use case is described in SUPPORT-73. Basically it is part of a check
before publishing, that requires the outgoing serial to be equal or
higher than the incoming serial. Quoting:

"So the serial of signed file must be higher than or equal to that in
unsigned zone, to ensure the signed file which we got is for the newest
unsigned zone."

Best regards,
  Matthijs

On 09/10/2013 03:58 PM, Siôn Lloyd wrote:
> What is the use-case? So long as the serial in the published zone is
> always increasing then we are okay surely...
> 
> Sion
> 
> On 10/09/13 14:01, Matthijs Mekking wrote:
>> Should the signed serial always be higher than the unsigned serial?
>>
>> I have written my thoughts down here:
>>
>>   https://issues.opendnssec.org/browse/OPENDNSSEC-446
>>
>> As a reaction to the report SUPPORT-73. My initial thoughts:
>>
>> Should we always have the signed serial to be higher than the unsigned
>> serial? We now only do that if the signer has no state about the zone
>> (eg "first run").
>>
>> In case of keep: no.
>> In case of unixtime: I would prefer to use unixtime if possible.
>> In case of datecounter: I would prefer to use datecounter if possible.
>> In case of counter: We could consider this.
>>
>> But that will only happen if the signer reads the unsigned zone, as we
>> only read the unsigned zone if the operator specifically tells us to do
>> with "ods-signer sign <zone>" (or in case of DNS adapters, the master
>> gives us a NOTIFY, or the REFRESH/RETRY timer has triggered).
>>
>> So in case of a regular re-sign, we cannot satisfy this requirement.
>>
>> Take this as a starting point of the discussion and I like your thoughts
>> on this, whether we should accept this feature request or stick to the
>> current behavior.
>>
>> Best regards,
>>   Matthijs
>> _______________________________________________
>> Opendnssec-develop mailing list
>> Opendnssec-develop at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 




More information about the Opendnssec-develop mailing list