Serial numbers for inline signing
Chris Thompson
cet1 at cam.ac.uk
Wed Dec 18 16:02:06 UTC 2013
On Dec 18 2013, Alan Clegg wrote:
>
>On Dec 18, 2013, at 10:17 AM, Thomas Schulz <schulz at adi.com> wrote:
>
>> I have a question about the serial number as modified by inline signing.
>> I have a static zone, adi.com, that I am setting up for dnssec. I added
>> inline-signing yes;
>> key-directory "dnssec";
>> auto-dnssec maintain;
>> to my named.conf file after generating the keys and then did a rndc restart.
>> After that I did a
>> rndc signing -nsec3param 1 0 10 aef7db3a adi.com
>> to switch to nsec3. Checking the resulting serial number, I find that it is
>> 2013120423. The serial number in the static zone file is 2013120400.
>> Why did it bump it up to 23? I expected something like 02.
>
>I can't tell you why you got an exact number, but the best rule about this
>is "don't worry about the signed serial number", as BIND will take care of
>it for you. As long as you continue to increment the static zone serial
>number as you always have, the serial in the signed zone will be maintained
>correctly.
>
>There are a number of things that are happening all the time with the signed
>zone that you are not aware of, for example, re-signing as signatures reach
>expiration, re-signing when you change from NSEC to NSEC3, etc.
>
>All of these will keep the signed serial number 'bumping up' even when your
>zone isn't changing.
You can look at the sequence of changes to the signed zone by using
dig ixfr=2013120400 adi.com @[yourauthserver]
or by applying named-journalprint to the .signed.jnl file, unless the
journal has been pruned as a result of exceeding the max-journal-size
setting. But this won't tell you *when* each increment happened.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list