Hi Tomas! I can not speak about INCEPTION-INCREMENT. But I remember when we had to decide which increment-method to choose we have chosen INCREMENT-WEEKS because it is the only method that works always - regardless of the serial format chosen by the zone editor. With INCREMENT-WEEKS the serial does not look nice nice, but it works.
regards Klaus > -----Ursprüngliche Nachricht----- > Von: Pdns-users <pdns-users-boun...@mailman.powerdns.com> Im > Auftrag von Tomas Habarta via Pdns-users > Gesendet: Donnerstag, 25. August 2022 10:42 > An: pdns-users@mailman.powerdns.com > Betreff: [Pdns-users] INCEPTION-INCREMENT for a signed zone > > Hello, > > could anyone please shed some light on SOA-EDIT for a signed zone? > > Setup: > PowerDNS Authoritative Server 4.6.2, hidden master, isc bind slaves, bind > backend, default-soa-edit-signed=INCEPTION-INCREMENT, zone makes use > of YYYYMMDDSS serial > > Situation: > I have got a zone which is "maintained" by people who don't know (and even > don't want to know) anything about dnssec. They just use it the same way > for ages -- open file, add/remove record, increase serial and reload. > Recently, there has been a pressure on to sign this zone as it is a subzone of > already signed one... > Since the serial is YYYYMMDDSS format, they are used to start with 00 which > then makes trouble when using INCEPTION-INCREMENT for soa-edit-signed. > > On inception day: > When RRSIG changes on inception day, serial is correctly increased, but when > it comes to the zone modification the same day, with the second edit, there > is no serial increase, so it looks like this (202208 part omitted): > > zone pdns > ------------ > 2307 -> 2501 > 2500 -> 2502 1st zone edit > 2501 -> 2502 2nd zone edit > 2502 -> 2503 > 2503 -> 2504 > > Problem is the second edit as no serial increase means no public masters > update -- we run a hidden master, so this is not much a real big thing but > still > a bit confusing. Reading operation instructions does not make it more clear as > it seems to be dated (increment 2). Looking at the source in > pdns/serialtweaker.cc and history of the changes (mainly #2377) it seems it > used to be that way but had another consequences... > I am sure there must be some historical reasons why it was designed the way > it is (mainly initial skip by 2 seems to complicate things unnecessarily), but > with my limited view I am unable to spot them or see the possible harm on > other parts of pdns... Of course, I can work around that, but this still > involve a > human factor... > Anyway, any information on this will be appreciated. > > > Many thanks > Tomas > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
