Hi Einar, On 1/20/22 2:03 PM, Einar Bjarni Halldórsson wrote: > Hi, > > For many months now, we've been preparing new signers for our internal zones > and eventually .is. > > We've got the first of our test zones live on the production signers, but > some things are troubling us. > > This is the config we're using for zones: > > template: > - id: default > semantic-checks: on > storage: "/usr/local/etc/knot" > file: "zones/unsigned/%s/%s-soa" > serial-policy: dateserial > zonefile-sync: -1 > zonefile-load: difference-no-serial > journal-content: all > notify: hidden_primary > acl: hidden_primary_acl > > policy: > - id: isnic > algorithm: RSASHA256 > ksk-size: 4096 > zsk-size: 2048 > ksk-lifetime: 365d > zsk-lifetime: 30d > propagation-delay: 1h > rrsig-lifetime: 14d > rrsig-refresh: 7d > rrsig-pre-refresh: 1h > > --- > > zones/unsigned is stored in a git repo and changes are deployed by an ansible > playbook that checks out the latest revision and reloads the zones. > > Someone pointed out that zonefile-load: difference-no-serial was risky for > something as important as a TLD, but what is the alternative when doing > automatic DNSSEC signing on zone data from git? Also, > we turned off zonefile-sync, since our current deployment script overwrites > the zonefile. Is there a way to load initial zone data from one file, but do > zonefile-sync to another?
"zonefile-load: difference-no-serial" was risky in the past when "journal-content: all" wasn't required for that. Nowadays we aren't aware of any issues with this setup. More zone files per zone aren't supported. > > We're seeing this in our logs: > Jan 20 09:32:06 ht-signer01 knot[49715]: info: [pp.is.] zone file parsed, > serial corrected 1970010100 -> 2022012000 > Jan 20 09:32:06 ht-signer01 knot[49715]: info: [pp.is.] loaded, serial > 2022011900 -> 2022012000 -> 2022011900, 3830 bytes This log line is correct. It means that there is no change in the zone so it doesn't make sense to increase the serial only. Daniel > > Any idea what's happening on the second line? It's like knot wants to > increment the serial, but then changes it's mind :) > > .einar > > -- --
