[Opendnssec-user] OpenDNSSEC 2.0.1 - The SOA Serial Number

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Oct 7 08:01:44 UTC 2016

Hi Mark,

On 06-10-16 17:58, Mark Elkins wrote:
> Oct  6 17:45:01 signer1 ods-signerd: [namedb] zone za cannot keep SOA
> SERIAL from input zone  (2016100627): previous output SOA SERIAL is
> 2016100627
> Oct  6 17:45:01 signer1 ods-signerd: [zone] unable to update zone za soa
> serial: Conflict detected

I think it is because your resign interval is 15 minutes and you are
getting XFR's every 15 minutes. There is a chance the signer will have 2
consecutive runs but did not see an XFR in between. The signer will
retry a bit later and no harm was done.

To get rid of this message I would advice to raise the resign interval a
bit. Maybe even to 2*[XFR interval]. Better yet would be to have the
signer keep its own SOA serial. That way it can still refresh signatures
even if you don't get XFRs for some period.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161007/025bc691/attachment.bin>

More information about the Opendnssec-user mailing list