[Pdns-users] INCEPTION-INCREMENT for a signed zone

Fri Sep 2 08:34:28 UTC 2022

Hi Klaus,

thanks for your reply. Well, yes, couple of other methods work correctly, but the case is kind of special as for the serial format change I need to avoid (with all that old dogs/new tricks stuff). 
Described behaviour seems buggy at the moment, therefore I hoped to see the reason why it works that way and if that is really the intended way it should work...

Thanks anyway ;-)
Tomas

On Wed, Aug 31, 2022 at 11:37:11PM +0200, Klaus Darilion via Pdns-users wrote:
> Hi Tomas!
> 
> I can not speak about INCEPTION-INCREMENT.  But I remember when we had to decide which increment-method to choose we have chosen INCREMENT-WEEKS because it is the only method that works always - regardless of the serial format chosen by the zone editor. With INCREMENT-WEEKS the serial does not look nice nice, but it works.
> 
> regards
> Klaus
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
> > Auftrag von Tomas Habarta via Pdns-users
> > Gesendet: Donnerstag, 25. August 2022 10:42
> > An: pdns-users at mailman.powerdns.com
> > Betreff: [Pdns-users] INCEPTION-INCREMENT for a signed zone
> > 
> > Hello,
> > 
> > could anyone please shed some light on SOA-EDIT for a signed zone?
> > 
> > Setup:
> > PowerDNS Authoritative Server 4.6.2, hidden master, isc bind slaves, bind
> > backend, default-soa-edit-signed=INCEPTION-INCREMENT, zone makes use
> > of YYYYMMDDSS serial
> > 
> > Situation:
> > I have got a zone which is "maintained" by people who don't know (and even
> > don't want to know) anything about dnssec. They just use it the same way
> > for ages -- open file, add/remove record, increase serial and reload.
> > Recently, there has been a pressure on to sign this zone as it is a subzone of
> > already signed one...
> > Since the serial is YYYYMMDDSS format, they are used to start with 00 which
> > then makes trouble when using INCEPTION-INCREMENT for soa-edit-signed.
> > 
> > On inception day:
> > When RRSIG changes on inception day, serial is correctly increased, but when
> > it comes to the zone modification the same day, with the second edit, there
> > is no serial increase, so it looks like this (202208 part omitted):
> > 
> > zone    pdns
> > ------------
> > 2307 -> 2501
> > 2500 -> 2502	1st zone edit
> > 2501 -> 2502	2nd zone edit
> > 2502 -> 2503
> > 2503 -> 2504
> > 
> > Problem is the second edit as no serial increase means no public masters
> > update -- we run a hidden master, so this is not much a real big thing but still
> > a bit confusing. Reading operation instructions does not make it more clear as
> > it seems to be dated (increment 2). Looking at the source in
> > pdns/serialtweaker.cc and history of the changes (mainly #2377) it seems it
> > used to be that way but had another consequences...
> > I am sure there must be some historical reasons why it was designed the way
> > it is (mainly initial skip by 2 seems to complicate things unnecessarily), but
> > with my limited view I am unable to spot them or see the possible harm on
> > other parts of pdns... Of course, I can work around that, but this still involve a
> > human factor...
> > Anyway, any information on this will be appreciated.
> > 
> > 
> > Many thanks
> > Tomas
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users