[Opendnssec-user] KASP serial keep
shlyoko at gmail.com
Thu Feb 13 12:14:54 UTC 2014
opendnssec version 1.4.3
I have KASP policy which set the SOA serial configuration to "keep"
(<Serial>keep</Serial>). I rise manually the serial number for the zone to
be signed, but when the signer runs, it does not detect the serial number
change and logs:
Feb 13 13:13:45 catwoman ods-signerd: [namedb] zone test.org cannot keep
SOA SERIAL from input zone (2012070503): previous output SOA SERIAL is
Feb 13 13:13:45 catwoman ods-signerd: [zone] unable to update zone
test.orgsoa serial: Conflict detected
Feb 13 13:13:45 catwoman ods-signerd: [zone] If this is the result of a key
rollover, please increment the serial in the unsigned zone test.org
Feb 13 13:13:45 catwoman ods-signerd: [worker] unable to sign zone
test.org: failed to increment serial
Feb 13 13:13:45 catwoman ods-signerd: [worker] CRITICAL: failed to sign
zone test.org: Conflict detected
Feb 13 13:13:45 catwoman ods-signerd: [worker] backoff task [sign] for
zone test.org with 60 seconds
At that time the unsigned zone has serial - 2012070504 and the zone signed
at the previous run has serial - 2012070503.
I was able to reproduce the issue with the "lab" KASP policy, just changing
the <Serial> parameter to "keep".
Running manually "ods-signer sign test.org" detects the increased serial
number and the zone is resigned correctly.
Can someone please try to reproduce the issue and let me know if it's a bug
or misconfiguration at my side. Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user