On 09/20/2012 07:25 AM, Paul Wouters wrote: > > Hi, > > When using a serial policy of keep, opendnssec can get into a state from > which it never recovers without human intervention. > > Say you use unsigned serials of YYYYMMDDHH. The second time you sign > within the same hour, you will get: > > Sep 20 01:23:30 signer01 ods-signerd: [namedb] cannot keep SOA SERIAL > from input zone (2012092001): previous output SOA SERIAL is 2012092001 > Sep 20 01:23:30 signer01 ods-signerd: [adapter] unable to add rr to zone > XXX: failed to replace soa serial rdata (Conflict detected) > > I'd prefer that specifying "keep" means "yes I know the serial might not > increase, just continue.
No. keep is meant to be to have human intervention. If you want the serial to increase, use counter. Do you perhaps propose a new serial policy "keep-unless-resign-is-needed" (needs a better name I guess), that does this behavior? > But the real problem is that when you reach the next hour, and your > unsigned serial moved to 2012092002, the current sign job for > 2012092001 is still partially done within opendnssec, and it will not > update the soa serial from the new unsigned zone, so again it aborts, > hour after hour, until a human cleans up the files in signed/* and tmp/* I assume you updated the serial and afterwards ran ods-signer sign zone? Best regards, Matthijs > > Paul > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
