21 Led
2022
21 Led
'22
20:50
Einar,
One way to change the serial is:
$ knotc zone-read example.com @ SOA
[example.com.] example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2022012100
10800 3600 1209600 7200
$ knotc zone-begin example.com
OK
$ knotc zone-set example.com @ 3600 SOA "dns1.example.com. hostmaster.example.com.
2022012105 10800 3600 1209600 7200"
OK
$ knotc zone-commit example.com
OK
Verification:
$ kjournalprint -l 1 example.com
;; Changes between zone versions: 2022012100 -> 2022012105, changeset: 1
;; Removed
example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2022012100 10800
3600 1209600 7200
example.com. 3600 RRSIG SOA 13 2 3600 20220204193156 20220121180156 20522
example.com.
/v6znTSakpL2aJa5p3fcD7tY3vWI/wmQwFADmguy4kl016doOpG4ZAxH3DmhUmV8AKCM7BHp1AfontXHLDeZXQ==
;; Added
example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2022012105 10800
3600 1209600 7200
example.com. 3600 RRSIG SOA 13 2 3600 20220204194056 20220121181056 20522
example.com.
vdB1SHlfCs24AnqOnruK0J05aXFfMn3DcZTTuDDgqsP9t8AN//J1xX7Gw63gnQsBOmeZam8W/CbAlq4wrRPfyQ==
Daniel
On 1/21/22 7:46 PM, libor.peltan wrote:
Hi Einar,
One question regarding the serial: Is it possible
to set or increase the serial (when using difference-no-serial) in some other way than
simply changing the zone and reloading?
Do you need to BUMP the SOA serial without
any other change in the zone? There might be a trick that would do this, but it's not
kind of supported feature. Why would you need it?
We're using serial-policy: dateserial, and we're running two signers, one active
and one backup. The hidden primaries get updates from the active signer.
If we need to change from the active to the backup the serial will probably be
out-of-sync and possibly some way off. If the backup signer has a lower serial then what
the prior active signer had,
then we'll need to fix it so the primaries start to accept updates from it.
I
strongly recommend that the two signers are completely in-sync. Could you imagine that the
hidden master runs a zone from signer1, and suddenly transfers an IXFR with a diff of the
zone in signer2,
and applies it on the zone? In that case, it's better when the secondaries don't
transfer automatically, rather by forced AXFR (knotc zone-retransfer).
I think the best way would be to change to serial-policy: unixtime, that way every zone
update is certain to increase the serial, but this will require working with 3rd parties
providing
secondaries, to force the first update after switching to unixtime.
I'd be interested to know if there was some way to do something like `knotc
zone-set-serial pp.is 2022012110` to force a new serial?
(I've combed through knotc man page, I know it's not there....)
.einar
--
Anyway, the setup of redundant signers is still an unexplored field in DNS overall. You
might lead the development here, and my opinion is that SOA serials are of the smallest
problems here.
Looking forward to discuss more next week :)
Cheers,
Libor