inline-signing: SOA serial out of sync
Axel Rau
Axel.Rau at Chaos1.DE
Sat Jun 9 13:20:46 UTC 2018
Hi Tony,
sorry for the late replay.
> Am 07.06.2018 um 14:20 schrieb Tony Finch <dot at dotat.at>:
>
> Axel Rau <Axel.Rau at Chaos1.DE> wrote:
>>
>> occasionally named 9.11.3 fails to increment SOA serial like here:
>>
>> file: 2018060605 dns: 2018060604
>
> With inline signing the signed and unsigned zones have separate serial
> numbers, so this is normal. If I understand inline-signing correctly, when
> you only modify the unsigned zone's serial number, that is not a big
> enough change to require an update to the signed version of the zone.
I changed a RR and the serial. Immediately after such a change, both
serials are usually equal, which my script checks.
If thea are different, this usually indicates some error with signing.
>
> You can use `rndc zonestatus` to see the server's view of both serial
> numbers.
I see.
>
> You can use `rndc signing -serial` to set the serial number of the signed
> zone.
>
> You might want to set `serial-update-method` if you want something more
> meaningful than an increment for each update (e.g. `date`).
OK.
Thanks for responding,
Axel
---
PGP-Key:29E99DD6 ☀ computing @ chaos claudius
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180609/78115ea2/attachment.html>
More information about the bind-users
mailing list