[Pdns-users] INCEPTION-INCREMENT for a signed zone

[Tomas Habarta]

Hello,

could anyone please shed some light on SOA-EDIT for a signed zone?

Setup:
PowerDNS Authoritative Server 4.6.2, hidden master, isc bind slaves, bind backend, default-soa-edit-signed=INCEPTION-INCREMENT, zone makes use of YYYYMMDDSS serial

Situation:
I have got a zone which is "maintained" by people who don't know (and even don't want to know) anything about dnssec. They just use it the same way for ages -- open file, add/remove record, increase serial and reload. Recently, there has been a pressure on to sign this zone as it is a subzone of already signed one...
Since the serial is YYYYMMDDSS format, they are used to start with 00 which then makes trouble when using INCEPTION-INCREMENT for soa-edit-signed.

On inception day:
When RRSIG changes on inception day, serial is correctly increased, but when it comes to the zone modification the same day, with the second edit, there is no serial increase, so it looks like this (202208 part omitted):

zone    pdns
------------
2307 -> 2501
2500 -> 2502	1st zone edit
2501 -> 2502	2nd zone edit
2502 -> 2503
2503 -> 2504

Problem is the second edit as no serial increase means no public masters update -- we run a hidden master, so this is not much a real big thing but still a bit confusing. Reading operation instructions does not make it more clear as it seems to be dated (increment 2). Looking at the source in pdns/serialtweaker.cc and history of the changes (mainly #2377) it seems it used to be that way but had another consequences...
I am sure there must be some historical reasons why it was designed the way it is (mainly initial skip by 2 seems to complicate things unnecessarily), but with my limited view I am unable to spot them or see the possible harm on other parts of pdns... Of course, I can work around that, but this still involve a human factor...
Anyway, any information on this will be appreciated.


Many thanks
Tomas