[Opendnssec-user] SOA serial keep behavior

Anirban Mukherjee amukherj at gmail.com
Mon May 3 09:56:30 UTC 2010

Thanks for your response. My intent is to accomplish exactly what you stated
i.e. to create new zonefiles at regular intervals.

However, I observed a couple of things as discussed below. Would be nice if
you can provide some some feedback.


1) If a sign zone is issued without an increment to the serial number, the
error message is of the form "Cannot keep input serial(<x>), output serial
is too large" and not "Serial setting is set to 'keep', but input serial has
not increased" as one would ideally expect.

This seems to be due to the fact that negative and zero return values from
compare_serial are being treated equivalently by perform_action in
signer/signer_engine/Zone.py and both result in the first error message.

2) When the zone is being signed the very first time *and* the serial number
in the unsigned file is greater than 2^31-1, the same error message ""Cannot
keep input serial(<x>), output serial 0 is too large" is seen and the
signing is aborted.

I think this is caused by the fact that a .serial file is still not present
in the working directory (default /var/opendnssec/tmp) and get_output_serial
in Zone.py returns zero when a .serial file is not present. In sequence
number arithmetic , zero is greater than any x>2^31-1. So compare_serial
reports that the output serial of zero is larger than the input serial x
from the unsigned file.
A crude way to work around this is to make compare_serial say that any
serial number is greater than a serial number of zero. But then zero cannot
be used as a valid serial number.

I have attached a zip file (z.zip) containing Zone.py from the 1.0.0 tar and
a modified Zone.py.modif to explain the above. There might be other places
like find_serial that need to be considered similarly.

2010/5/3 Patrik Wallström <patrik.wallstrom at iis.se>

> On May 2, 2010, at 9:25 PM, Anirban Mukherjee wrote:
> > Is it correct to expect the following if SOA Serial is set to "keep"
> > in the concerned policy ?
> >
> > i) The very first time a zone is signed, the SOA serial of the signed
> > file will be the same as that of the unsigned file.
> >
> > ii) Post the first-time signing, if a sign zone command is issued
> > without incrementing the serial number of the unsigned file, the
> > signing fails with an error saying that the serial number has not
> > increased i.e. an attempt to resign a zone fails unless the serial
> > number has been incremented.
> Yes, this is correct. The purpose of the keep option is to only sign a zone
> if the zone has been updated as indicated by the incoming SOA serial. This
> is useful for a TLD for example, which creates new zonefiles with regular
> intervals.
> --
> Patrik Wallström
> Project Manager, R&D
> .SE (Stiftelsen för Internetinfrastruktur)
> E-mail: patrik.wallstrom at iis.se
> Web: http://www.iis.se/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100503/6bf56691/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: z.zip
Type: application/zip
Size: 18201 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100503/6bf56691/attachment.zip>

More information about the Opendnssec-user mailing list