On 10/7/2014 2:03 PM, Terry Burton wrote:
On 7 Oct 2014 18:42, "Alan Clegg" <[email protected] <mailto:[email protected]>> wrote: > > On 10/7/2014 9:49 AM, Terry Burton wrote: > > This is especially useful in bootstrapping scenarios where the zone > > data is held under strict revision control or generated by some > > provisioning system that "owns" the serial number. > > By setting the number backwards, you are breaking all of your slave servers and causing no-end of problems getting all of THEM corrected. You've misunderstood. I'm not attempting to decrease the serial number. With inline signing you have a hidden serial number in the unsigned zone and an exposed serial number in the signed versions which your slaves track. After redeployment (following DR, emergency relocation, elastic capacity expansion, etc.) I want to be able to bump the exposed serial number (once) back to an appropriate value without having to modify the unsigned zones.
Ok, I'm aware of the difference between unsigned and signed zones in an in-line signing configuration and am more and more curious about your terminology of "appropriate value" for the signed zones.
If the data hasn't changed, the serial is appropriate. If the data has changed, the signed data serial number is going to be incremented the next time you transfer (bump in the wire) or reload (on box) the data.
As Doug said, edit the data and when you reload it's going to "do the right thing" but you should never get into this predicament to begin with from my limited understanding of DNS.
Now, the problem with his added step is that the next time you edit the file that you have in your version control system, the serial number is now going to match (if you treat it as "just a number") the one that you edited OUTSIDE OF THE PROCEDURE and you won't get correct zone transfers.
I'd recommend adding one step to the DR/whatever procedure: "bump serial number in version control in to complete process".
AlanC _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
