Hi Einar,
One question regarding the serial: Is it possible to set or increase
the serial (when using difference-no-serial) in some other way than
simply changing the zone and reloading?
Do you need to BUMP the SOA serial without any other change in the zone?
There might be a trick that would do this, but it's not kind of
supported feature. Why would you need it?
We're using serial-policy: dateserial, and we're running two signers,
one active and one backup. The hidden primaries get updates from the
active signer.
If we need to change from the active to the backup the serial will
probably be out-of-sync and possibly some way off. If the backup
signer has a lower serial then what the prior active signer had, then
we'll need to fix it so the primaries start to accept updates from it.
I strongly recommend that the two signers are completely in-sync. Could
you imagine that the hidden master runs a zone from signer1, and
suddenly transfers an IXFR with a diff of the zone in signer2, and
applies it on the zone? In that case, it's better when the secondaries
don't transfer automatically, rather by forced AXFR (knotc zone-retransfer).
I think the best way would be to change to serial-policy: unixtime,
that way every zone update is certain to increase the serial, but this
will require working with 3rd parties providing secondaries, to force
the first update after switching to unixtime.
I'd be interested to know if there was some way to do something like
`knotc zone-set-serial pp.is 2022012110` to force a new serial?
(I've combed through knotc man page, I know it's not there....)
.einar
--
Anyway, the setup of redundant signers is still an unexplored field in
DNS overall. You might lead the development here, and my opinion is that
SOA serials are of the smallest problems here.
Looking forward to discuss more next week :)
Cheers,
Libor
--
