Inline-signing feature request: Directly set the signed zone's serial number
Chris Thompson
cet1 at cam.ac.uk
Fri Oct 17 16:23:27 UTC 2014
On Oct 8 2014, Tony Finch wrote:
>Terry Burton <tez at terryburton.co.uk> wrote:
>>
>> This is especially useful in bootstrapping scenarios where the zone
>> data is held under strict revision control or generated by some
>> provisioning system that "owns" the serial number.
>
>Our provisioning system used to think it owned zone serial numbers, but
>when we started signing we moved the version tag into an HINFO record.
In case anyone wonders "why HINFO?", this was because
1. No-one wants to use HINFO at a zone apex for any other reason.
2. As a very ancient type, even early Windows DNS Server implementations
didn't object to it when slaving the zones.
3. One can put arbitrary text strings in it.
... but also for the much less reputable
4. As a low numbered type, it got sorted immediately after the apex
SOA and NS records in a zone file normalised by "named-checkzone -D".
Well, it served me right when we later had to put an A record (sorts before
HINFO) at the apex of cam.ac.uk and I had to modify our normalised-zone-file-
comparsion program to allow for that!
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list