[Opendnssec-develop] signed serial > unsigned serial?
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Sep 11 05:50:42 UTC 2013
Hi Rick,
On 09/10/2013 05:29 PM, Rick van Rein (OpenFortress) wrote:
> Hi,
>
>>> Should the signed serial always be higher than the unsigned
>>> serial? #OPENDNSSEC-446 #SUPPORT-73.
>>
>> I do not agree with the reporter that ODS should follow the
>> unsigned serial.
>
> Clear statement, and understood. But you're forgetting something...
>
>> As an admin you explicitly transfer the management responsibility
>> to ODS.
>
> To be able to switch OpenDNSSEC on and off (which can really help its
> acceptance) you need to rely on *some* relation between the serials
> coming out; if you cannot influence them and they'd start at 1 (say),
> then the name server might miss out on the updates ODS makes.
The signer keeps zone state on disk in order to achieve this.
>
> Had we had the null (or passthrough, or transparent) encryption
> algorithm then users could always pass unsigned zones through ODS and
> let it do its thing with SOA and no matter what, it would all work
> fine. That sort of architectural advantage is precisely why we'd
> love to see this one. We've been working around this sort of problem
> over and over, and SOA sequencing is a nasty bit we have had to chew
> on more than once, while wishing the null signature alg were there.
Pass-through of unsigned zones has no serial management, so SOA
sequencing is in that scenario not difficult at all.
Best regards,
Matthijs
>
> -Rick_______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
More information about the Opendnssec-develop
mailing list