[Opendnssec-user] OpenDNSSEC 2.0.1 - The SOA Serial Number
Mark Elkins
mje at posix.co.za
Mon Oct 10 16:54:46 UTC 2016
I'm afraid after changing the resign interval - everything broke.
I've restarted everything with "datecounter" and [AI]XFR an unsigned
zone that is only regenerated every 30 minutes. Also use a 30 minutes
resign in KASP. Everything currently working.
I want "datecounter" because "unixtime" ends (hopefully) within my
lifetime - January 19, 2038 03:14:08 GMT - and its getting uncomfortably
close.
On 07/10/2016 10:01, Yuri Schaeffer wrote:
> Hi Mark,
>
> On 06-10-16 17:58, Mark Elkins wrote:
>> Oct 6 17:45:01 signer1 ods-signerd: [namedb] zone za cannot keep SOA
>> SERIAL from input zone (2016100627): previous output SOA SERIAL is
>> 2016100627
>> Oct 6 17:45:01 signer1 ods-signerd: [zone] unable to update zone za soa
>> serial: Conflict detected
>
> I think it is because your resign interval is 15 minutes and you are
> getting XFR's every 15 minutes. There is a chance the signer will have 2
> consecutive runs but did not see an XFR in between. The signer will
> retry a bit later and no harm was done.
>
> To get rid of this message I would advice to raise the resign interval a
> bit. Maybe even to 2*[XFR interval]. Better yet would be to have the
> signer keep its own SOA serial. That way it can still refresh signatures
> even if you don't get XFRs for some period.
>
> Regards,
> Yuri
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161010/ca3086a2/attachment.bin>
More information about the Opendnssec-user
mailing list