[Opendnssec-user] Message: Cannot keep input serial 2010070514, output serial 2010070514 is too large. Aborting operation

Carsten Strotmann (Men&Mice) carsten at menandmice.com
Mon Jul 5 15:13:00 UTC 2010


Hello Rickard,

On 07/ 5/10 03:29 PM, Rickard Bellgrim wrote:
>
> On 5 jul 2010, at 15.18, Carsten Strotmann (Men&Mice) wrote:
>
>> Why is 2010070514 too large? Is this anything to be concerned
>> about
>
> If you use the SOA serial mode "keep", then the output serial must be
> smaller than the input serial. Otherwise will the signer not sign
> your zone. The signer will try each resign period until you have
> updated the SOA serial in the unsigned zone.
>
> // Rickard

ok, that was a misunderstanding on my side. I was thinking that "keep" 
means that opendnssec should just not care about the serial, just sign.

Would it be possible to have a serial number mode of "ignore", that will 
basically not look at the serial at all but will sign whenever the user 
will give a ods-signer sign <zone> command? This would be useful in 
cases where the serial is already managed by a different tool/script.

-- Carsten



More information about the Opendnssec-user mailing list