Hi! With ODS 1.2 we use to sign our zones always twice. First with the incoming SOA (unix timestamp) and a second time with a serial of original+2weeks. The first signed zone was deployed in the public.
The second with the larger serial was archived and kept for emergency when there would be an ongoing problem with the signing process which deployed a broken zone. Then we could easily manually deploy an older zone file with a higher serial, so that all slaves accept the old zone. To achieve this we always signed with "--serial". Now, with ODS 2.0 it seems this is not possible anymore. Once a zone is signed with a certain serial, a lower serial is not accepted anymore by the signer. Reading the code it also seems there is no hidden option to bypass this "safety-feature". Does someone knows a trick how to achieve the behavior as in ODS 1.2 to accept and force any serial? (we know what we are doing) If know, please consider this as a feature request. Thanks Klaus _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
