-
Type:
New Feature
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 2.0
-
Fix Version/s: None
-
Component/s: Signer
-
Labels:None
As discussed on opendnssec-user mailing list[1], it would be useful if user could somehow explicitly specify the SOA serial number for ods-signerd to use in the signed zone.
For example:
- Every time ods-signerd signs a zone it could run a hook command which would be passed the zone name as command line argument (like NotifyCommand) and read back the SOA serial from command's standard output.
- Or perhaps 'ods-signer sign <zone>' could accept an additional parameter, e.g. '--serial <number>' which would reset the serial number and sign the zone, and on following sign tasks the serial would be chosen again according to the policy settings.
This feature could be used for example to make sure the newly signed zone's SOA serial is higher than currently used by the zone's authoritative DNS servers, to ensure zone update propagates to all secondaries.
A specific case where ods-signerd needs to be told the minimum outgoing SOA serial to use:
- Zone signing policy is configured to use `datecounter' or `counter' SOA serial format.
- Unsigned version of zone stays unchanged. Active primary signing server re-signs the zone multiple times to regenerate signatures, roll-over keys etc. over long period of time.
- A standby server is promoted as active. With `datecounter' format it might take hours or days (depends on other policy parameters) to reach higher serial than on the latest signed version from the deactivated/failed primary server. And with `counter' format it could take years (about as long as the primary server had been in active role).
[1] http://lists.opendnssec.org/pipermail/opendnssec-user/2013-April/002430.html
- is blocked by
-
OPENDNSSEC-401 Extend ods-signer sign <zone> --serial <serial>
-
- Closed
-
-
-
- Closed
-