Affects Version/s: OpenDNSSEC 1.4.3
Fix Version/s: None
Debian testing, OpenDNSSec 1:1.4.3-3.
During automated zone resigns ods-signerd seems to not detect that zone file has been updated and has new serial:
Feb 27 13:46:18 dns-mgt ods-signerd: [namedb] zone teleglobe.net cannot keep SOA SERIAL from input zone (2014022510): previous output SOA SERIAL is 2014022510
Feb 27 13:46:18 dns-mgt ods-signerd: [zone] unable to update zone teleglobe.net soa serial: Conflict detected
Feb 27 13:46:18 dns-mgt ods-signerd: [zone] If this is the result of a key rollover, please increment the serial in the unsigned zone teleglobe.net
Feb 27 13:46:18 dns-mgt ods-signerd: [worker] unable to sign zone teleglobe.net: failed to increment serial
Feb 27 13:46:18 dns-mgt ods-signerd: [worker] CRITICAL: failed to sign zone teleglobe.net: Conflict detected
Feb 27 13:46:18 dns-mgt ods-signerd: [worker] backoff task [sign] for zone teleglobe.net with 3600 seconds
However, after issuing ods-signer sign --all (and not even touching zone files) ods-signerd recognizes new serial and sign zone:
Feb 27 14:14:42 dns-mgt ods-signerd: [STATS] teleglobe.net RR[count=2 time=0(sec)] NSEC3[count=2 time=0(sec)] RRSIG[new=4 reused=1900 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
Also, I don't really understand why signerd has to care about zone serial so much. Is there mode in which it will try to re-sign zone by request regardless of serial?