inline-signing: SOA serial out of sync

Axel Rau Axel.Rau at Chaos1.DE
Sat Jun 9 13:20:51 UTC 2018 

Hi Matthew,

sorry for my late answer.

> Am 07.06.2018 um 15:31 schrieb Matthew Pounsett <matt at conundrum.com>:
> 
> 
> 
> On 7 June 2018 at 07:36, Axel Rau <Axel.Rau at chaos1.de> wrote:
> Hi all,
> 
> occasionally named 9.11.3 fails to increment SOA serial like here:
> 
>         file: 2018060605 dns: 2018060604
> 
> zone file was edited by script and a rndc reload given.
> [...] 
> Manual fixing requires another cycle with zone file editing:
> 
>  
> You don't say this clearly, but it sounds like you're reporting more than just the serial not updating.  Is that correct?
Yes.
> Are there actual updates to the zone that are not being picked up?
Yes, that’s the point. If the problem happens, the signing machinery is blocked until resolved manually.
I don’t know the reason. named-checkzone reported no errors, but in case of syntax-errors, named behaves similar.
>   As Tony says, the serial number can differ from the file to what's served by the name server when the name server is doing automatic signing.
> 
> Can you clarify which it is?
I hope, I did (-:

There is nothing special with this zone file:

- - -
[hermes:~] root# rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018060805
signed serial: 2018060805
nodes: 88
last loaded: Thu, 07 Jun 2018 10:37:34 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Sat, 09 Jun 2018 13:08:21 GMT
next resign node: gw2.m6d2.lrau.net/NSEC
next resign time: Fri, 29 Jun 2018 21:38:07 GMT
dynamic: no
reconfigurable via modzone: no

[hermes:local/etc/namedb] root#	named-checkzone lrau.net /usr/local/etc/namedb/master/signed/lrau.net/lrau.net.zone 
zone lrau.net/IN: loaded serial 2018060805
OK
- - -

Thanks, Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

More information about the bind-users mailing list