[Pdns-users] INCEPTION-INCREMENT for a signed zone
Klaus Darilion
klaus.darilion at nic.at
Wed Aug 31 21:37:11 UTC 2022
Hi Tomas!
I can not speak about INCEPTION-INCREMENT. But I remember when we had to decide which increment-method to choose we have chosen INCREMENT-WEEKS because it is the only method that works always - regardless of the serial format chosen by the zone editor. With INCREMENT-WEEKS the serial does not look nice nice, but it works.
regards
Klaus
> -----Ursprüngliche Nachricht-----
> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
> Auftrag von Tomas Habarta via Pdns-users
> Gesendet: Donnerstag, 25. August 2022 10:42
> An: pdns-users at mailman.powerdns.com
> Betreff: [Pdns-users] INCEPTION-INCREMENT for a signed zone
>
> Hello,
>
> could anyone please shed some light on SOA-EDIT for a signed zone?
>
> Setup:
> PowerDNS Authoritative Server 4.6.2, hidden master, isc bind slaves, bind
> backend, default-soa-edit-signed=INCEPTION-INCREMENT, zone makes use
> of YYYYMMDDSS serial
>
> Situation:
> I have got a zone which is "maintained" by people who don't know (and even
> don't want to know) anything about dnssec. They just use it the same way
> for ages -- open file, add/remove record, increase serial and reload.
> Recently, there has been a pressure on to sign this zone as it is a subzone of
> already signed one...
> Since the serial is YYYYMMDDSS format, they are used to start with 00 which
> then makes trouble when using INCEPTION-INCREMENT for soa-edit-signed.
>
> On inception day:
> When RRSIG changes on inception day, serial is correctly increased, but when
> it comes to the zone modification the same day, with the second edit, there
> is no serial increase, so it looks like this (202208 part omitted):
>
> zone pdns
> ------------
> 2307 -> 2501
> 2500 -> 2502 1st zone edit
> 2501 -> 2502 2nd zone edit
> 2502 -> 2503
> 2503 -> 2504
>
> Problem is the second edit as no serial increase means no public masters
> update -- we run a hidden master, so this is not much a real big thing but still
> a bit confusing. Reading operation instructions does not make it more clear as
> it seems to be dated (increment 2). Looking at the source in
> pdns/serialtweaker.cc and history of the changes (mainly #2377) it seems it
> used to be that way but had another consequences...
> I am sure there must be some historical reasons why it was designed the way
> it is (mainly initial skip by 2 seems to complicate things unnecessarily), but
> with my limited view I am unable to spot them or see the possible harm on
> other parts of pdns... Of course, I can work around that, but this still involve a
> human factor...
> Anyway, any information on this will be appreciated.
>
>
> Many thanks
> Tomas
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list