[Opendnssec-user] KASP serial keep

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Feb 13 12:52:09 UTC 2014 

Hi Emil,

On 02/13/2014 01:14 PM, Emil Natan wrote:
> Hello everybody,
> 
> opendnssec version 1.4.3
> 
> I have KASP policy which set the SOA serial configuration to "keep"
> (<Serial>keep</Serial>). I rise manually the serial number for the zone
> to be signed, but when the signer runs, it does not detect the serial
> number change and logs:
> 
> Feb 13 13:13:45 catwoman ods-signerd: [namedb] zone test.org
> <http://test.org> cannot keep SOA SERIAL from input zone  (2012070503):
> previous output SOA SERIAL is 2012070503
> Feb 13 13:13:45 catwoman ods-signerd: [zone] unable to update zone
> test.org <http://test.org> soa serial: Conflict detected
> Feb 13 13:13:45 catwoman ods-signerd: [zone] If this is the result of a
> key rollover, please increment the serial in the unsigned zone test.org
> <http://test.org>
> Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] unable to sign zone
> test.org <http://test.org>: failed to increment serial
> Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] CRITICAL: failed to
> sign zone test.org <http://test.org>: Conflict detected
> Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] backoff task [sign]
> for zone test.org <http://test.org> with 60 seconds
> 
> At that time the unsigned zone has serial - 2012070504 and the zone
> signed at the previous run has serial - 2012070503.

Correct: The signer will not read the unsigned zone unless specifically
told to. In this case, the signer received an update from the enforcer
(perhaps a key rollover or a salt change), but the "keep" value tells
the signer not to maintain the serial by itself.

In other words, you really have to run ods-signer sign <zone> to bump
the serial if you use "keep".

> I was able to reproduce the issue with the "lab" KASP policy, just
> changing the <Serial> parameter to "keep".
> 
> Running manually "ods-signer sign test.org <http://test.org>" detects
> the increased serial number and the zone is resigned correctly.
> 
> Can someone please try to reproduce the issue and let me know if it's a
> bug or misconfiguration at my side. Thanks.

It's a feature :)

Best regards,
  Matthijs

> 
> ena
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list