[Opendnssec-user] Serial problem after rollover in 2.0.1

Fred.Zwarts F.Zwarts at KVI.nl
Fri Sep 16 10:06:45 UTC 2016


"Yuri Schaeffer"  schreef in bericht 
news:46da313f-2c47-92b1-8c3d-cc1af1ec6d65 at nlnetlabs.nl...
>
>Hi Fred,
>
>
>> The log message "If this is the result of a key rollover ..." suggests
>> (at least to me) that it is normal that a manual intervention is needed
>> during a roll-over, but we are not used to it.
>> Is this a bug, or is it the intended behavior?
>> Are there new options to be included in the configuration?
>
>I'm guessing you use 'keep' strategy[0] for the SOA. Then you are
>responsible to increment the serial yourself and the signer is unable to
>push out updates when that hasn't happened.
>
>The reason for the message is that the enforcer can have the signer
>notified that a resign needs to happen. (because a key rollover for
>example). But with this serial strategy the signer can't without a SOA
>bump.
>
>So make sure your serial in the input zone is greater than 2016091511.
>But better would be to use 'datecounter' to let the signer manage the
>serial.
>
>Regards,
>Yuri
>
>[0]
>https://wiki.opendnssec.org/display/DOCS20/kasp.xml#kasp.xml-ZoneInformation

When I change the serial in the input zone, I can do a "ods-signer 
sign -all" once without problem and it will resign the zone.
When I try it a second time, it fails again with the same messages. Then I 
have to update the serial again in the input zone. 





More information about the Opendnssec-user mailing list