-
Type:
Support
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 1.4.0
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
CentOS6.4 DA HSM(hardware made in China)
Hi,
When I was testing the OpenDNSSSEC1.4.0. I found that sometime the serial in signed zonefiles is smaller than the serial in unsigned zonefiles.
After set the kasp.xml,the policy of zone was like this:
<Zone>
<PropagationDelay>PT0S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>counter</Serial>
</SOA>
</Zone>
And then the OpenDNSSEC was started (using "ods-control start"). Now the serial in the unsigned file was 1374686361, the result in the signed zonefile was 1374686362. But in the executing of OpenDNSSEC, I changed the serial in the unsigned file to 1374686465, and then the command "ods-signer sign --all" was called, the result of the serial in the signed file was 1374686362+1=1374686363, not 1374686465+1=1374686466.
Discovered that, I read the codes.
In my opinion, there is problem in the function "ods_status namedb_update_serial(namedb_type* db, const char* format, uint32_t inbound_serial)" in the file "namedb.c". And I changed some code like this:
from:
if (!db->is_initialized )
else
{ db->intserial += update; /*automatically does % 2^32*/ } changed to :
if(soa < db->intserial )
else
{ db->intserial = soa; } I thought that, the zone file is just initialized once when it is loaded into the OpenDNSSEC. But when it is changed, the db->intserial is not its real serial, It should be reinitialized. At least, the serial should be the max(soa, db->intserial+update) (in the code above), to ensure that the serial in the signed zonefile is bigger than or equal it in the unsigned zonefile.
Can you tell me is it right? Thank you!
- relates to
-
OPENDNSSEC-446 Signed serial always higher as unsigned serial
-
- Reopened
-