On Tue, 1 Feb 2011, Torinthiel wrote:
Third is about -N option: a well established practice (although I don't know what was the origin) is to set SOA serial number to eg 2011020101, which is current day and two-digit of daily version. This has benefit of being almost as good as putting unixtime of last modification, while being much more human-readable. How difficult would it be to implement this for dnssec-signzone -N, using a fourth format specifier?
It's not hard. See my bind-users post of Oct 15 with subject: more flexible serial number handling in dnssec-signzone Since then I've quit using the serial number fiddling ability of dnssec-signzone. The problem is that it doesn't increment the serial number in the unsigned file, so future uses of "dnssec-signzone -N" could result with the same or even lower values. Instead, I created a zap-serial tool to zap the serial number in place within the unsigned zone file, either to a new literal value or incrementing the old number. My DNSSEC-related processes now zap the serial number before signing with dnssec-signzone. You can find the C source for zap-serial & some possibly useful other DNSSEC-related scripts here (at least for now): http://seatpost.its.uiowa.edu/bind_stuff ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users