[Opendnssec-user] SOA serial keep strategy

Yuri Schaeffer yuri at nlnetlabs.nl
Wed May 31 10:40:42 UTC 2017


One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will
never change the serial it receives from the master, it will be just
copied over. As a consequence only changes to the signed zone can be
made when a change from the master comes in. OpenDNSSEC will not be able
to refresh signatures (and thus they might expire) until a change comes
in. OpenDNSSEC can not ensure validity of a zone.

Personally I think the keep strategy is just generally a bad idea. I'm
thinking about deprecating the keep strategy in favour of simpler code
and less chance to shoot yourself in the foot. Therefore I'd like to
know if there (still) is actually any demand for this feature. An
important use case I'm missing. Is anyone using this?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170531/73de6e95/attachment.bin>

More information about the Opendnssec-user mailing list