[Opendnssec-develop] signed serial > unsigned serial?

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Sep 11 06:46:12 UTC 2013

On 09/10/2013 04:38 PM, Yuri Schaeffer wrote:
>> Should the signed serial always be higher than the unsigned serial?
> I do not agree with the reporter that ODS should follow the unsigned
> serial. As an admin you explicitly transfer the management
> responsibility to ODS. The way you describe it is now sounds like the
> sanest solution to me. The serial of an unpublished version of the zone
> is not relevant at all.
> //Yuri

I am not sure that the serial of an unpublished version is not relevant
at all. While it is not published, it can be used for operational
practice. The kasp serial 'keep' already implies this.

To me it sounds like the reporter wants something like a cross between
'keep' (have control over the serial) and 'counter' (automatic
resigning). I am not sure if we should satisfy this requirement, and if
so whether we do this by:

* changing the behavior of counter;
* introducing a new serial value 'keepcounter' (name under debate);

The name keepcounter vaguely rings a bell. Ah!:


It looks like that we have this discussion before. And it looks like we
have implemented this when reading the unsigned zone (not when doing an
automatic re-sign).

I'm going back to the reporter.

Best regards,

More information about the Opendnssec-develop mailing list