Serial numbers for inline signing
Antonio Querubin
tony at lavanauts.org
Thu Dec 19 07:34:39 UTC 2013
On Thu, 19 Dec 2013, Evan Hunt wrote:
> You're using inline-signing? Which server do you have doing the signing?
Only the master has 'auto-dnssec maintain' in the zone config.
> Name servers can get out of sync because the slaves haven't refreshed
> recently, but in that case I would expect the master would be ahead of
> the slave, not the other way around.
Yes I know.
> If you're using inline-signing and you have the slave signing, then
> the slave's serial number would get ahead of the master's... but in
> that case, the master should be "hidden" -- it shouldn't be listed
> in the NS RRset for the zone, and a consistency check should ignore
> it.
No, the slaves don't do any signing, just the master.
Antonio Querubin
e-mail: tony at lavanauts.org
xmpp: antonioquerubin at gmail.com
More information about the bind-users
mailing list