Hi,
we are using keep strategy and would prefer if this option
would stay available.
We are periodically generating new zone (with new serial),
making various checks, signing it and running checks against signed zone
- it's
convenient that serial stays the same after signing (as it was generated).
--
Best Regards,
Tomas Simonaitis
.lt, Domreg.lt
On 31/05/2017 13:40, Yuri Schaeffer wrote:
Hi,
One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will
never change the serial it receives from the master, it will be just
copied over. As a consequence only changes to the signed zone can be
made when a change from the master comes in. OpenDNSSEC will not be able
to refresh signatures (and thus they might expire) until a change comes
in. OpenDNSSEC can not ensure validity of a zone.
Personally I think the keep strategy is just generally a bad idea. I'm
thinking about deprecating the keep strategy in favour of simpler code
and less chance to shoot yourself in the foot. Therefore I'd like to
know if there (still) is actually any demand for this feature. An
important use case I'm missing. Is anyone using this?
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
