[Opendnssec-user] OpenDNSSEC 2.0.1 - The SOA Serial Number

Mark Elkins mje at posix.co.za
Thu Oct 6 15:58:28 UTC 2016 

I'm having fun with Serial numbers in my test suite.

I'm running a Bump-in-the-wire.

The source of the zone is rewritten every 15 minute - which allows for
96 changes a day (4 x 24) - which fits in with a YYYYMMDDxx format for
the SOA Serial.

This also means I tickle the Signer every 15 minutes - and also every 15
minutes - even if there are no other changes.

At the moment - I'm trying "keep – keep the serial from the unsigned
zone (do not resign unless it has been incremented)"

This gives (syslog) error messages like:

Oct  6 17:45:01 signer1 ods-signerd: [namedb] zone za cannot keep SOA
SERIAL from input zone  (2016100627): previous output SOA SERIAL is
2016100627
Oct  6 17:45:01 signer1 ods-signerd: [zone] unable to update zone za soa
serial: Conflict detected
Oct  6 17:45:01 signer1 ods-signerd: [zone] If this is the result of a
key rollover, please increment the serial in the unsigned zone za
Oct  6 17:45:01 signer1 ods-signerd: [worker[1]] unable to sign zone za:
failed to increment serial
Oct  6 17:45:01 signer1 ods-signerd: [worker[1]] CRITICAL: failed to
sign zone za: Conflict detected
Oct  6 17:45:01 signer1 ods-signerd: [worker[1]] backoff task [sign] for
zone za with 60 seconds

The Zone is signed though and appears to be OK.
I am though unhappy with the error messages. They suggest I've broken
something.

For now, in kasp.xml - I'm using "lab" with:
                <Signatures>
                        <Resign>PT15M</Resign>
                        <Refresh>PT45M</Refresh>
(otherwise no changes)
[Note: this will change to "default" - ie Signed every two hours]

I also get the same sort of errors in two other (child) zones.

The ideal outcome would be a new distributed zone every 15 minutes -
where the serial number indicates which 15 minute clock tick it was
created (or rather signed) on. In the long run - the signer needs to
maintain RRSIGs (etc) every two hours but still potentially IXFR in
changes to the zone every 15 minutes.

Initially - I used "unixtime" which (because of the published format)
changed to counter - which then overflowed the "xx" of the desired format.

Suggestions?

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161006/eef04036/attachment.bin>

More information about the Opendnssec-user mailing list