Thank you very much Jerry and Matthijs for the fast reply. All clear. Best Regards, ena
On Thu, Feb 13, 2014 at 2:52 PM, Matthijs Mekking <[email protected]>wrote: > Hi Emil, > > On 02/13/2014 01:14 PM, Emil Natan wrote: > > Hello everybody, > > > > opendnssec version 1.4.3 > > > > I have KASP policy which set the SOA serial configuration to "keep" > > (<Serial>keep</Serial>). I rise manually the serial number for the zone > > to be signed, but when the signer runs, it does not detect the serial > > number change and logs: > > > > Feb 13 13:13:45 catwoman ods-signerd: [namedb] zone test.org > > <http://test.org> cannot keep SOA SERIAL from input zone (2012070503): > > previous output SOA SERIAL is 2012070503 > > Feb 13 13:13:45 catwoman ods-signerd: [zone] unable to update zone > > test.org <http://test.org> soa serial: Conflict detected > > Feb 13 13:13:45 catwoman ods-signerd: [zone] If this is the result of a > > key rollover, please increment the serial in the unsigned zone test.org > > <http://test.org> > > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] unable to sign zone > > test.org <http://test.org>: failed to increment serial > > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] CRITICAL: failed to > > sign zone test.org <http://test.org>: Conflict detected > > Feb 13 13:13:45 catwoman ods-signerd: [worker[4]] backoff task [sign] > > for zone test.org <http://test.org> with 60 seconds > > > > At that time the unsigned zone has serial - 2012070504 and the zone > > signed at the previous run has serial - 2012070503. > > Correct: The signer will not read the unsigned zone unless specifically > told to. In this case, the signer received an update from the enforcer > (perhaps a key rollover or a salt change), but the "keep" value tells > the signer not to maintain the serial by itself. > > In other words, you really have to run ods-signer sign <zone> to bump > the serial if you use "keep". > > > I was able to reproduce the issue with the "lab" KASP policy, just > > changing the <Serial> parameter to "keep". > > > > Running manually "ods-signer sign test.org <http://test.org>" detects > > the increased serial number and the zone is resigned correctly. > > > > Can someone please try to reproduce the issue and let me know if it's a > > bug or misconfiguration at my side. Thanks. > > It's a feature :) > > Best regards, > Matthijs > > > > > ena > > > > > > _______________________________________________ > > Opendnssec-user mailing list > > [email protected] > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
