[Opendnssec-user] SOA serial keep strategy

Tomas Simonaitis simtom at domreg.lt
Fri Jun 9 11:21:21 UTC 2017


Hi,

we are using keep strategy and would prefer if this option
would stay available.
We are periodically generating new zone (with new serial),
making various checks, signing it and running checks against signed zone 
- it's
convenient that serial stays the same after signing (as it was generated).

--
Best Regards,
Tomas Simonaitis
.lt, Domreg.lt

On 31/05/2017 13:40, Yuri Schaeffer wrote:
> Hi,
>
> One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will
> never change the serial it receives from the master, it will be just
> copied over. As a consequence only changes to the signed zone can be
> made when a change from the master comes in. OpenDNSSEC will not be able
> to refresh signatures (and thus they might expire) until a change comes
> in. OpenDNSSEC can not ensure validity of a zone.
>
> Personally I think the keep strategy is just generally a bad idea. I'm
> thinking about deprecating the keep strategy in favour of simpler code
> and less chance to shoot yourself in the foot. Therefore I'd like to
> know if there (still) is actually any demand for this feature. An
> important use case I'm missing. Is anyone using this?
>




More information about the Opendnssec-user mailing list