reply: [Opendnssec-develop] signed serial > unsigned serial?

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Sep 11 08:08:12 UTC 2013


On 09/11/2013 09:26 AM, Jakob Schlyter wrote:
> On 11 sep 2013, at 09:15, "wangguodong" <wanggd at conac.cn> wrote:
> 
>> Because in the NEWG TLD applicant Guidebook, the registry's zone file should
>> be accessed by a third party.( AGB SPECIFICATION 4,P43)
> 
> Is the 3rd party zone access for an unsigned or signed zone?
> 
>> So if a third party get an unsigned zone, the unsigned zone's serial is
>> higher than the current signed zone(can be dug from the internet), this may
>> be a problem.
> 
> I don't think is a real problem, but I do agree it might look strange. I also believe the signed zone serial should always be equal or higher than the unsigned version.

I don't like having functionality that polls the serial from the
unsigned zone to verify that the upcoming signed serial is higher than
the unsigned serial. So *always* is problematic for me. It's okay when
you already reading the unsigned zone. That is also more in line with
our requirement to only read the unsigned zone upon manual request (e.g.
sign command).

Best regards,
  Matthijs

> 
>> So as this, I think it's better to ensure the signed zone's serial higher
>> than the unsigned zone.
> 
> I agree.
> 
> 
> 	jakob
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 




More information about the Opendnssec-develop mailing list