[Pdns-users] SOA serial number editing on re-signing of a zone / RRSIG changes

[bert hubert]

On Wed, Mar 23, 2011 at 12:39:42AM +0100, Christof Meerwald wrote:
> Just wanted to check what the status is on having a PowerDNS master
> with a non-PowerDNS slave for DNSSEC signed zone - we had briefly
> discussed this some time ago and I think the slave (if it's not
> PowerDNS) currently won't do an AXFR when the RRSIG changes (and the
> SOA won't change automatically). Will this be supported in the 3.0
> release?

Hi Christof, (Jan Piet),

It only took half a week of thinking, apologies for not getting back to you
earlier. This feature has now been added.

3.0 is really getting close, so we need to figure out quickly if the
solution offered is sufficient for both your needs.

The currently implemented adds yet another domain metadata item (how did we
ever survive without that table?) called SOA-EDIT.

You can set SOA-EDIT to either 'INCEPTION', in which case the SOA serial
number will be replaced by YYYYMMDD01 of the currently issued RRSIG
inception, the one that rolls over each Thursday at midnight GMT.

You can also set it to INCEPTION-WEEK, in which case the serial number will
be very different, the integral number of weeks since the epoch of the
currently issued inception.

I'm pondering 'SERIAL-INCREMENT' that will attempt to upgrade the current
serial number with the number of weeks that have passed since the original
serial number found in the SOA record. So if your original SOA serial number
was 2011022701, and the SOA would be requested today, '4' would be added to
the serial number, to get 2011022405, which would indicate that the original
serial date is still 20110224, but that 4 'small' changes have been made.

This gets messy after 100 weeks.

Please let me know your thoughts! This code can be found in 2103, which has
been uploaded to http://powerdnssec.org/downloads (including 64 bits
packages).

I hope you can let me know quickly if this hits the mark so we can wrapup
3.0!

Good luck!