Serial numbers for inline signing
Alan Clegg
alan at clegg.com
Wed Dec 18 15:27:17 UTC 2013
On Dec 18, 2013, at 10:17 AM, Thomas Schulz <schulz at adi.com> wrote:
> I have a question about the serial number as modified by inline signing.
> I have a static zone, adi.com, that I am setting up for dnssec. I added
> inline-signing yes;
> key-directory "dnssec";
> auto-dnssec maintain;
> to my named.conf file after generating the keys and then did a rndc restart.
> After that I did a
> rndc signing -nsec3param 1 0 10 aef7db3a adi.com
> to switch to nsec3. Checking the resulting serial number, I find that it is
> 2013120423. The serial number in the static zone file is 2013120400.
> Why did it bump it up to 23? I expected something like 02.
I can’t tell you why you got an exact number, but the best rule about this is “don’t worry about the signed serial number”, as BIND will take care of it for you. As long as you continue to increment the static zone serial number as you always have, the serial in the signed zone will be maintained correctly.
There are a number of things that are happening all the time with the signed zone that you are not aware of, for example, re-signing as signatures reach expiration, re-signing when you change from NSEC to NSEC3, etc.
All of these will keep the signed serial number ‘bumping up’ even when your zone isn’t changing.
AlanC
--
Alan Clegg | +1-919-355-8851 | alan at clegg.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131218/fdff38b1/attachment.bin>
More information about the bind-users
mailing list