Einar, One way to change the serial is:
$ knotc zone-read example.com @ SOA [example.com.] example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2022012100 10800 3600 1209600 7200 $ knotc zone-begin example.com OK $ knotc zone-set example.com @ 3600 SOA "dns1.example.com. hostmaster.example.com. 2022012105 10800 3600 1209600 7200" OK $ knotc zone-commit example.com OK Verification: $ kjournalprint -l 1 example.com ;; Changes between zone versions: 2022012100 -> 2022012105, changeset: 1 ;; Removed example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2022012100 10800 3600 1209600 7200 example.com. 3600 RRSIG SOA 13 2 3600 20220204193156 20220121180156 20522 example.com. /v6znTSakpL2aJa5p3fcD7tY3vWI/wmQwFADmguy4kl016doOpG4ZAxH3DmhUmV8AKCM7BHp1AfontXHLDeZXQ== ;; Added example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2022012105 10800 3600 1209600 7200 example.com. 3600 RRSIG SOA 13 2 3600 20220204194056 20220121181056 20522 example.com. vdB1SHlfCs24AnqOnruK0J05aXFfMn3DcZTTuDDgqsP9t8AN//J1xX7Gw63gnQsBOmeZam8W/CbAlq4wrRPfyQ== Daniel On 1/21/22 7:46 PM, libor.peltan wrote: > Hi Einar, > >> One question regarding the serial: Is it possible to set or increase the >> serial (when using difference-no-serial) in some other way than simply >> changing the zone and reloading? > Do you need to BUMP the SOA serial without any other change in the zone? > There might be a trick that would do this, but it's not kind of supported > feature. Why would you need it? >> >> We're using serial-policy: dateserial, and we're running two signers, one >> active and one backup. The hidden primaries get updates from the active >> signer. >> If we need to change from the active to the backup the serial will probably >> be out-of-sync and possibly some way off. If the backup signer has a lower >> serial then what the prior active signer had, >> then we'll need to fix it so the primaries start to accept updates from it. > I strongly recommend that the two signers are completely in-sync. Could you > imagine that the hidden master runs a zone from signer1, and suddenly > transfers an IXFR with a diff of the zone in signer2, > and applies it on the zone? In that case, it's better when the secondaries > don't transfer automatically, rather by forced AXFR (knotc zone-retransfer). >> >> I think the best way would be to change to serial-policy: unixtime, that way >> every zone update is certain to increase the serial, but this will require >> working with 3rd parties providing >> secondaries, to force the first update after switching to unixtime. >> >> I'd be interested to know if there was some way to do something like `knotc >> zone-set-serial pp.is 2022012110` to force a new serial? >> (I've combed through knotc man page, I know it's not there....) >> >> .einar >> -- > > Anyway, the setup of redundant signers is still an unexplored field in DNS > overall. You might lead the development here, and my opinion is that SOA > serials are of the smallest problems here. > > Looking forward to discuss more next week :) > > Cheers, > > Libor > --
