[Opendnssec-develop] signed serial > unsigned serial?

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Sep 11 07:50:42 CEST 2013


Hi Rick,

On 09/10/2013 05:29 PM, Rick van Rein (OpenFortress) wrote:
> Hi,
> 
>>> Should the signed serial always be higher than the unsigned
>>> serial? #OPENDNSSEC-446 #SUPPORT-73.
>> 
>> I do not agree with the reporter that ODS should follow the
>> unsigned serial.
> 
> Clear statement, and understood.  But you're forgetting something...
> 
>> As an admin you explicitly transfer the management responsibility
>> to ODS.
> 
> To be able to switch OpenDNSSEC on and off (which can really help its
> acceptance) you need to rely on *some* relation between the serials
> coming out; if you cannot influence them and they'd start at 1 (say),
> then the name server might miss out on the updates ODS makes.

The signer keeps zone state on disk in order to achieve this.

> 
> Had we had the null (or passthrough, or transparent) encryption
> algorithm then users could always pass unsigned zones through ODS and
> let it do its thing with SOA and no matter what, it would all work
> fine.  That sort of architectural advantage is precisely why we'd
> love to see this one.  We've been working around this sort of problem
> over and over, and SOA sequencing is a nasty bit we have had to chew
> on more than once, while wishing the null signature alg were there.

Pass-through of unsigned zones has no serial management, so SOA
sequencing is in that scenario not difficult at all.

Best regards,
  Matthijs


> 
> -Rick_______________________________________________ 
> Opendnssec-develop mailing list 
> Opendnssec-develop at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 




More information about the Opendnssec-develop mailing list