Re: [Opendnssec-user] OpenDNSSEC 2.0.1 - The SOA Serial Number

Yuri Schaeffer Fri, 07 Oct 2016 01:03:08 -0700

Hi Mark,

On 06-10-16 17:58, Mark Elkins wrote:
> Oct  6 17:45:01 signer1 ods-signerd: [namedb] zone za cannot keep SOA
> SERIAL from input zone  (2016100627): previous output SOA SERIAL is
> 2016100627
> Oct  6 17:45:01 signer1 ods-signerd: [zone] unable to update zone za soa
> serial: Conflict detected


I think it is because your resign interval is 15 minutes and you are
getting XFR's every 15 minutes. There is a chance the signer will have 2
consecutive runs but did not see an XFR in between. The signer will
retry a bit later and no harm was done.

To get rid of this message I would advice to raise the resign interval a
bit. Maybe even to 2*[XFR interval]. Better yet would be to have the
signer keep its own SOA serial. That way it can still refresh signatures
even if you don't get XFRs for some period.

Regards,
Yuri

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Re: [Opendnssec-user] OpenDNSSEC 2.0.1 - The SOA Serial Number

Reply via email to