On Thu, Feb 03, 2011 at 08:44:08AM +0100, Christof Meerwald wrote: > I kind of expected this to happen today - the master (ns.cmeerw.net) > with the keying material has now updated the RRSIG records, but the > slave (ns2.cmeerw.net, no keying material) still returns the old RRSIG > records:
Indeed, this is an issue we've been pondering for a while now. OpenDNSSEC, and dnssec-signzone all deal with it in some way. > ; <<>> DiG 9.7.1-P2 <<>> +dnssec -t soa cmeerw.priv.at @ns2.cmeerw.net > ;; ANSWER SECTION: > cmeerw.priv.at. 28800 IN RRSIG SOA 8 3 28800 > 20110210000000 20110127000000 9895 cmeerw.priv.at. > b6IVcHFLnJvuL1T+OVXDDiuPOPbooVgpNHw8SI21cXoo2Q2v89+UQd7+ > H/SVjFYPL5RLjyCIcGWIJOrx5Wssg8vqbVqvkaG/AGmyZqhu5S5dVo1b > ipK32UrcYrsknkYmzYaHD3ew2ka9hwZYND5MK+g3FNAJxnj3fJEiHEvG Lzo= > cmeerw.priv.at. 28800 IN SOA ns.cmeerw.net. > domain.cmeerw.net. 2010080601 3600 900 1814400 3600 > > > Is there any better solution than having to run a script each week on > the master server to update the SOA serial number and reload the zone > (so the slave gets notified of the change and does an AXFR)? This will obviously have to be automated, but we're not sure how. The more general case is where PowerDNS operates like OpenDNSSEC, as a 'signing proxy'. In this case there is an 'original serial' from the unsigned master, which tells us when the original changed. Secondly, there is the 'signed serial' which will have to change once a week at least, but also whenever the 'original serial' changes. In your case, where PowerDNS merely does the signing, things are a bit simpler, but stil not trivial. We obviously need to come up with something smart! Thinking out loud a bit. A problem is that the SOA serial is 32 bits, and often filled out like this: 4294967296 2011020300 .. 2011020301 .. 2011020302 etc This means that if we do the 'obvious' and leave the first six digits alone, we can only do 99 increments, which is not enough by a long shot. However, '20110203' only encodes a day number, and there have been 15008 days since the beginning of the epoch. What we could do is convert a 'date-formed SERIAL' to a more compact form, and leave loads of room for autincrementing the serial. So 2011020312 ('the 12th increment on the 3rd of February 2011') could be converted to: FFFFFFFF 3AA00Cnn This still only gives us 256 increments before things turn nasty. Ideas? I prefer a solution where we don't actually increment the serial in the database but overlay it with something that autoincrements ('weeks since january first 2011'). Bert _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users