[Opendnssec-user] KASP serial keep

Emil Natan shlyoko at gmail.com
Thu Feb 13 12:14:54 UTC 2014


Hello everybody,

opendnssec version 1.4.3

I have KASP policy which set the SOA serial configuration to "keep"
(<Serial>keep</Serial>). I rise manually the serial number for the zone to
be signed, but when the signer runs, it does not detect the serial number
change and logs:

Feb 13 13:13:45 catwoman ods-signerd: [namedb] zone test.org cannot keep
SOA SERIAL from input zone  (2012070503): previous output SOA SERIAL is
2012070503
Feb 13 13:13:45 catwoman ods-signerd: [zone] unable to update zone
test.orgsoa serial: Conflict detected
Feb 13 13:13:45 catwoman ods-signerd: [zone] If this is the result of a key
rollover, please increment the serial in the unsigned zone test.org
Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] unable to sign zone
test.org: failed to increment serial
Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] CRITICAL: failed to sign
zone test.org: Conflict detected
Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] backoff task [sign] for
zone test.org with 60 seconds

At that time the unsigned zone has serial - 2012070504 and the zone signed
at the previous run has serial - 2012070503.

I was able to reproduce the issue with the "lab" KASP policy, just changing
the <Serial> parameter to "keep".

Running manually "ods-signer sign test.org" detects the increased serial
number and the zone is resigned correctly.

Can someone please try to reproduce the issue and let me know if it's a bug
or misconfiguration at my side. Thanks.

ena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140213/0210c285/attachment.htm>


More information about the Opendnssec-user mailing list