[Opendnssec-user] SOA serial keep behavior

Patrik Wallström patrik.wallstrom at iis.se
Mon May 3 07:56:03 UTC 2010

On May 2, 2010, at 9:25 PM, Anirban Mukherjee wrote:

> Is it correct to expect the following if SOA Serial is set to "keep"
> in the concerned policy ?
> i) The very first time a zone is signed, the SOA serial of the signed
> file will be the same as that of the unsigned file.
> ii) Post the first-time signing, if a sign zone command is issued
> without incrementing the serial number of the unsigned file, the
> signing fails with an error saying that the serial number has not
> increased i.e. an attempt to resign a zone fails unless the serial
> number has been incremented.

Yes, this is correct. The purpose of the keep option is to only sign a zone if the zone has been updated as indicated by the incoming SOA serial. This is useful for a TLD for example, which creates new zonefiles with regular intervals.

Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100503/605dc294/attachment.bin>

More information about the Opendnssec-user mailing list