On Dec 18 2013, Alan Clegg wrote:
On Dec 18, 2013, at 10:17 AM, Thomas Schulz <[email protected]> wrote:I have a question about the serial number as modified by inline signing. I have a static zone, adi.com, that I am setting up for dnssec. I added inline-signing yes; key-directory "dnssec"; auto-dnssec maintain; to my named.conf file after generating the keys and then did a rndc restart. After that I did a rndc signing -nsec3param 1 0 10 aef7db3a adi.com to switch to nsec3. Checking the resulting serial number, I find that it is 2013120423. The serial number in the static zone file is 2013120400. Why did it bump it up to 23? I expected something like 02.I can't tell you why you got an exact number, but the best rule about this is "don't worry about the signed serial number", as BIND will take care of it for you. As long as you continue to increment the static zone serial number as you always have, the serial in the signed zone will be maintained correctly. There are a number of things that are happening all the time with the signed zone that you are not aware of, for example, re-signing as signatures reach expiration, re-signing when you change from NSEC to NSEC3, etc. All of these will keep the signed serial number 'bumping up' even when your zone isn't changing.
You can look at the sequence of changes to the signed zone by using
dig ixfr=2013120400 adi.com @[yourauthserver] or by applying named-journalprint to the .signed.jnl file, unless the journal has been pruned as a result of exceeding the max-journal-size setting. But this won't tell you *when* each increment happened. -- Chris Thompson Email: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
