[Opendnssec-user] SOA serial keep strategy
yuri at nlnetlabs.nl
Wed May 31 10:40:42 UTC 2017
One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will
never change the serial it receives from the master, it will be just
copied over. As a consequence only changes to the signed zone can be
made when a change from the master comes in. OpenDNSSEC will not be able
to refresh signatures (and thus they might expire) until a change comes
in. OpenDNSSEC can not ensure validity of a zone.
Personally I think the keep strategy is just generally a bad idea. I'm
thinking about deprecating the keep strategy in favour of simpler code
and less chance to shoot yourself in the foot. Therefore I'd like to
know if there (still) is actually any demand for this feature. An
important use case I'm missing. Is anyone using this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-user