Hi Emil, On 02/13/2014 01:14 PM, Emil Natan wrote: > Hello everybody, > > opendnssec version 1.4.3 > > I have KASP policy which set the SOA serial configuration to "keep" > (<Serial>keep</Serial>). I rise manually the serial number for the zone > to be signed, but when the signer runs, it does not detect the serial > number change and logs: > > Feb 13 13:13:45 catwoman ods-signerd: [namedb] zone test.org > <http://test.org> cannot keep SOA SERIAL from input zone (2012070503): > previous output SOA SERIAL is 2012070503 > Feb 13 13:13:45 catwoman ods-signerd: [zone] unable to update zone > test.org <http://test.org> soa serial: Conflict detected > Feb 13 13:13:45 catwoman ods-signerd: [zone] If this is the result of a > key rollover, please increment the serial in the unsigned zone test.org > <http://test.org> > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] unable to sign zone > test.org <http://test.org>: failed to increment serial > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] CRITICAL: failed to > sign zone test.org <http://test.org>: Conflict detected > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] backoff task [sign] > for zone test.org <http://test.org> with 60 seconds > > At that time the unsigned zone has serial - 2012070504 and the zone > signed at the previous run has serial - 2012070503.
Correct: The signer will not read the unsigned zone unless specifically told to. In this case, the signer received an update from the enforcer (perhaps a key rollover or a salt change), but the "keep" value tells the signer not to maintain the serial by itself. In other words, you really have to run ods-signer sign <zone> to bump the serial if you use "keep". > I was able to reproduce the issue with the "lab" KASP policy, just > changing the <Serial> parameter to "keep". > > Running manually "ods-signer sign test.org <http://test.org>" detects > the increased serial number and the zone is resigned correctly. > > Can someone please try to reproduce the issue and let me know if it's a > bug or misconfiguration at my side. Thanks. It's a feature :) Best regards, Matthijs > > ena > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
