On May 2, 2010, at 9:25 PM, Anirban Mukherjee wrote: > Is it correct to expect the following if SOA Serial is set to "keep" > in the concerned policy ? > > i) The very first time a zone is signed, the SOA serial of the signed > file will be the same as that of the unsigned file. > > ii) Post the first-time signing, if a sign zone command is issued > without incrementing the serial number of the unsigned file, the > signing fails with an error saying that the serial number has not > increased i.e. an attempt to resign a zone fails unless the serial > number has been incremented.
Yes, this is correct. The purpose of the keep option is to only sign a zone if the zone has been updated as indicated by the incoming SOA serial. This is useful for a TLD for example, which creates new zonefiles with regular intervals. -- Patrik Wallström Project Manager, R&D .SE (Stiftelsen för Internetinfrastruktur) E-mail: [email protected] Web: http://www.iis.se/
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
