[Opendnssec-user] Message: Cannot keep input serial 2010070514, output serial 2010070514 is too large. Aborting operation

Mathieu Arnold mat at mat.cc
Mon Jul 5 17:25:39 CEST 2010

+--On 5 juillet 2010 17:13:00 +0200 "Carsten Strotmann (Men&Mice)"
<carsten at menandmice.com> wrote:
| Hello Rickard,
| On 07/ 5/10 03:29 PM, Rickard Bellgrim wrote:
|> On 5 jul 2010, at 15.18, Carsten Strotmann (Men&Mice) wrote:
|>> Why is 2010070514 too large? Is this anything to be concerned
|>> about
|> If you use the SOA serial mode "keep", then the output serial must be
|> smaller than the input serial. Otherwise will the signer not sign
|> your zone. The signer will try each resign period until you have
|> updated the SOA serial in the unsigned zone.
|> // Rickard
| ok, that was a misunderstanding on my side. I was thinking that "keep"
| means that opendnssec should just not care about the serial, just sign.
| Would it be possible to have a serial number mode of "ignore", that will
| basically not look at the serial at all but will sign whenever the user
| will give a ods-signer sign <zone> command? This would be useful in cases
| where the serial is already managed by a different tool/script.

Well, the thing is that the zone might be signed again without any outside
changes, on my systems, it occurs every 4 hours, and if the enforcer thinks
it should be resigned, it's mostly right :-)

I tried to use the keep setting, but it became really impractical, and I
switched to counter without touching my scripts, it increments the serial
monotonically when it needs to, and it gets the new serial if it's bigger,
and it worked out fine so far :-)

Mathieu Arnold

More information about the Opendnssec-user mailing list