On 02/01/11 22:13, Jay Ford wrote: > On Tue, 1 Feb 2011, Torinthiel wrote: >> Third is about -N option: >> a well established practice (although I don't know what was the >> origin) is >> to set SOA serial number to eg 2011020101, which is current day and >> two-digit of daily version. This has benefit of being almost as good as >> putting unixtime of last modification, while being much more >> human-readable. >> How difficult would it be to implement this for dnssec-signzone -N, >> using a >> fourth format specifier? > > It's not hard. See my bind-users post of Oct 15 with subject: > more flexible serial number handling in dnssec-signzone > > Since then I've quit using the serial number fiddling ability of > dnssec-signzone. The problem is that it doesn't increment the serial > number > in the unsigned file, so future uses of "dnssec-signzone -N" could result > with the same or even lower values. Yes, that's a problem. Combined with ldns-read-zone and answer to my first question this could make dnssec-signzone read the good SOA record. I was also thinking of simply changing it by sed in a script.
> > Instead, I created a zap-serial tool to zap the serial number in place > within > the unsigned zone file, either to a new literal value or incrementing > the old > number. My DNSSEC-related processes now zap the serial number before > signing > with dnssec-signzone. You can find the C source for zap-serial & some > possibly useful other DNSSEC-related scripts here (at least for now): > http://seatpost.its.uiowa.edu/bind_stuff Nice set of scripts. I was thinking of writing my own with probably similar functionality, but I'll start with those. Main difference is that I don't store keys online, so I'd like the scripts to notify me that signing is necessary instead of signing. Torinthiel _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
