[Opendnssec-user] ods2 signed zone ignores specified Serial format (unixtime), publishes RRSIG SOA with 'datecounter' ?

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Dec 19 19:38:48 UTC 2016

>     egrep -i "serial|SOA" /var/opendnssec/signed/example.info
>         example.info.     300     IN      SOA     dns.example.com.
> soacontact.example.com. 1482169654 7200 1800 604800 300
>         example.info.     300     IN      RRSIG   SOA 8 2 300
> 20161219184751 20161219164734 38544 example.info. pib...U=
> shouldn't the 'unixtime' format be used consistently/unchanged in the
> RRSIG SOA record as well?

You are mixing two concepts.

The SOA record indeed has a unixtime serial like you specified. The
timestamps you see in the RRSIG SOA (or any other RRSIG in your zone)
are *not* serial numbers. They represent the actual times in which
between this signature is valid.

The SOA serial format is available for creative uses since the only
requirement is that it increases for each zone version. The RRSIG
timestamps are not to be tampered with.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161219/95a5a965/attachment.bin>

More information about the Opendnssec-user mailing list