[Opendnssec-user] zone serial has gone backwards

Volker Janzen voja at voja.de
Sun Aug 3 19:22:22 UTC 2014


Hi,

I forgot to tell, that I did not find out when the serial got messed up.

I was able to reduce the serial in the unsigned file. I forced signing, this repaired the signed zone on the (hidden) master. I deleted the zone file on all slaves and restarted bind. All nodes loaded the correct zone file after this.


     Volker


> Am 16.07.2014 um 19:18 schrieb Rick van Rein <rick at openfortress.nl>:
> 
> Hello,
> 
>> no I wasn't aware of this. I can't remember a problem serving this SOA style.
> 
> The wire format is 32-bit unsigned integer, so you’ve been lucky.  More accurately, you’ve been using a mildly ignorant tool to read your zone files.
> 
>> Can I simply lower the SOA in the unsigned zone, or will this cause problems with OpenDNSSEC?
> 
> You should be able to manually insist on “ods-signer sign example.com” and see it fall through.  Be sure that the transfer gets through though, it’ll depend on your style of doing that (I have no experience there).  Only in problematic cases would you need to wipe tmp files (or clear them).
> 
> -Rick



More information about the Opendnssec-user mailing list