[Opendnssec-user] KASP serial keep

Emil Natan shlyoko at gmail.com
Thu Feb 13 13:17:18 UTC 2014


Thank you very much Jerry and Matthijs for the fast reply. All clear.

Best Regards,
ena


On Thu, Feb 13, 2014 at 2:52 PM, Matthijs Mekking <matthijs at nlnetlabs.nl>wrote:

> Hi Emil,
>
> On 02/13/2014 01:14 PM, Emil Natan wrote:
> > Hello everybody,
> >
> > opendnssec version 1.4.3
> >
> > I have KASP policy which set the SOA serial configuration to "keep"
> > (<Serial>keep</Serial>). I rise manually the serial number for the zone
> > to be signed, but when the signer runs, it does not detect the serial
> > number change and logs:
> >
> > Feb 13 13:13:45 catwoman ods-signerd: [namedb] zone test.org
> > <http://test.org> cannot keep SOA SERIAL from input zone  (2012070503):
> > previous output SOA SERIAL is 2012070503
> > Feb 13 13:13:45 catwoman ods-signerd: [zone] unable to update zone
> > test.org <http://test.org> soa serial: Conflict detected
> > Feb 13 13:13:45 catwoman ods-signerd: [zone] If this is the result of a
> > key rollover, please increment the serial in the unsigned zone test.org
> > <http://test.org>
> > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] unable to sign zone
> > test.org <http://test.org>: failed to increment serial
> > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] CRITICAL: failed to
> > sign zone test.org <http://test.org>: Conflict detected
> > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] backoff task [sign]
> > for zone test.org <http://test.org> with 60 seconds
> >
> > At that time the unsigned zone has serial - 2012070504 and the zone
> > signed at the previous run has serial - 2012070503.
>
> Correct: The signer will not read the unsigned zone unless specifically
> told to. In this case, the signer received an update from the enforcer
> (perhaps a key rollover or a salt change), but the "keep" value tells
> the signer not to maintain the serial by itself.
>
> In other words, you really have to run ods-signer sign <zone> to bump
> the serial if you use "keep".
>
> > I was able to reproduce the issue with the "lab" KASP policy, just
> > changing the <Serial> parameter to "keep".
> >
> > Running manually "ods-signer sign test.org <http://test.org>" detects
> > the increased serial number and the zone is resigned correctly.
> >
> > Can someone please try to reproduce the issue and let me know if it's a
> > bug or misconfiguration at my side. Thanks.
>
> It's a feature :)
>
> Best regards,
>   Matthijs
>
> >
> > ena
> >
> >
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140213/7db027d0/attachment.htm>


More information about the Opendnssec-user mailing list