[Opendnssec-develop] signed serial > unsigned serial?

Rick van Rein (OpenFortress) rick at openfortress.nl
Tue Sep 10 17:29:01 CEST 2013


Hi,

>> Should the signed serial always be higher than the unsigned serial?
>> #OPENDNSSEC-446 #SUPPORT-73.
> 
> I do not agree with the reporter that ODS should follow the unsigned
> serial.

Clear statement, and understood.  But you're forgetting something...

> As an admin you explicitly transfer the management
> responsibility to ODS.

To be able to switch OpenDNSSEC on and off (which can really help its acceptance) you need to rely on *some* relation between the serials coming out; if you cannot influence them and they'd start at 1 (say), then the name server might miss out on the updates ODS makes.

Had we had the null (or passthrough, or transparent) encryption algorithm then users could always pass unsigned zones through ODS and let it do its thing with SOA and no matter what, it would all work fine.  That sort of architectural advantage is precisely why we'd love to see this one.  We've been working around this sort of problem over and over, and SOA sequencing is a nasty bit we have had to chew on more than once, while wishing the null signature alg were there.

-Rick


More information about the Opendnssec-develop mailing list