[Opendnssec-user] OpenDNSSEC 2.0.1 - The SOA Serial Number
Mark Elkins
mje at posix.co.za
Thu Oct 6 15:58:28 UTC 2016
I'm having fun with Serial numbers in my test suite.
I'm running a Bump-in-the-wire.
The source of the zone is rewritten every 15 minute - which allows for
96 changes a day (4 x 24) - which fits in with a YYYYMMDDxx format for
the SOA Serial.
This also means I tickle the Signer every 15 minutes - and also every 15
minutes - even if there are no other changes.
At the moment - I'm trying "keep – keep the serial from the unsigned
zone (do not resign unless it has been incremented)"
This gives (syslog) error messages like:
Oct 6 17:45:01 signer1 ods-signerd: [namedb] zone za cannot keep SOA
SERIAL from input zone (2016100627): previous output SOA SERIAL is
2016100627
Oct 6 17:45:01 signer1 ods-signerd: [zone] unable to update zone za soa
serial: Conflict detected
Oct 6 17:45:01 signer1 ods-signerd: [zone] If this is the result of a
key rollover, please increment the serial in the unsigned zone za
Oct 6 17:45:01 signer1 ods-signerd: [worker[1]] unable to sign zone za:
failed to increment serial
Oct 6 17:45:01 signer1 ods-signerd: [worker[1]] CRITICAL: failed to
sign zone za: Conflict detected
Oct 6 17:45:01 signer1 ods-signerd: [worker[1]] backoff task [sign] for
zone za with 60 seconds
The Zone is signed though and appears to be OK.
I am though unhappy with the error messages. They suggest I've broken
something.
For now, in kasp.xml - I'm using "lab" with:
<Signatures>
<Resign>PT15M</Resign>
<Refresh>PT45M</Refresh>
(otherwise no changes)
[Note: this will change to "default" - ie Signed every two hours]
I also get the same sort of errors in two other (child) zones.
The ideal outcome would be a new distributed zone every 15 minutes -
where the serial number indicates which 15 minute clock tick it was
created (or rather signed) on. In the long run - the signer needs to
maintain RRSIGs (etc) every two hours but still potentially IXFR in
changes to the zone every 15 minutes.
Initially - I used "unixtime" which (because of the published format)
changed to counter - which then overflowed the "xx" of the desired format.
Suggestions?
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161006/eef04036/attachment.bin>
More information about the Opendnssec-user
mailing list