Inline-signing feature request: Directly set the signed zone's serial number
Terry Burton
tez at terryburton.co.uk
Tue Oct 7 20:57:16 UTC 2014
On 7 Oct 2014 21:44, "Doug Barton" <dougb at dougbarton.us> wrote:
>
> On 10/7/14 11:03 AM, Terry Burton wrote:
>
>> With inline signing you have a hidden serial number in the unsigned zone
>> and an exposed serial number in the signed versions which your slaves
>> track. After redeployment (following DR, emergency relocation, elastic
>> capacity expansion, etc.) I want to be able to bump the exposed serial
>> number (once) back to an appropriate value without having to modify the
>> unsigned zones.
>>
>> (For context, the unsigned zone serial number matches the revision
>> number in a VCS to which the DNS infrastructure hosts and administrators
>> have read-only access, i.e. mandatory separation of infrastructure and
>> data access rights.)
>
>
> * Check out the unmodified version of the unsigned zone
> * Increase the serial number in the checked out copy to be past the one
in the signed zone
> * rndc reload
> * Delete the modified version of the zone file, and revert to the master
copy
>
> ... all of which is not to say that your request is not reasonable, just
letting you know that a solution exists.
Sure, this is the approach that is currently taken. As stressed in my
request, this is purely for convenience... and a little bit of obsessive
data purity - load what you're given without additional processing, etc.
Thanks all the same!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20141007/677e5770/attachment.html>
More information about the bind-users
mailing list