[Opendnssec-user] forcing lower serial

Klaus Darilion klaus.mailinglists at pernau.at
Mon Jul 16 08:52:37 UTC 2018


With ODS 1.2 we use to sign our zones always twice. First with the
incoming SOA (unix timestamp) and a second time with a serial of
original+2weeks. The first signed zone was deployed in the public.

The second with the larger serial was archived and kept for emergency
when there would be an ongoing problem with the signing process which
deployed a broken zone. Then we could easily manually deploy an older
zone file with a higher serial, so that all slaves accept the old zone.

To achieve this we always signed with "--serial".

Now, with ODS 2.0 it seems this is not possible anymore. Once a zone is
signed with a certain serial, a lower serial is not accepted anymore by
the signer. Reading the code it also seems there is no hidden option to
bypass this "safety-feature".

Does someone knows a trick how to achieve the behavior as in ODS 1.2 to
accept and force any serial? (we know what we are doing)

If know, please consider this as a feature request.


More information about the Opendnssec-user mailing list