To:
Bill Manning <bmanning@isi.edu>, edlewis@arin.net (Edward Lewis)
Cc:
bmanning@isi.edu, dnssec@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Tue, 15 Oct 2002 13:45:13 -0400
In-Reply-To:
<200210151618.g9FGI5211484@boreas.isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: troubleshooting...
At 9:18 -0700 10/15/02, Bill Manning wrote: > not covering up, in this case, the only things that changed > was the zone was re-signed. same keys, same serial, etc... > the only diffs were the sigs. :) It's hard to distinguish at that level. You'd have to AXFR and do a diff to know if "just" the signatures were updated. >% Using signature validity periods to mark the newerness of data isn't >% very reliable. It might be that the periods are shortened reversibly >% in advance of a major change in something. > > true, but if the only distinction in the zone data is that > the sig validity periods are different, then I want to be > able to use that to troubleshoot. The fix is to correct > the problem (increment the serial) and resign. Would like > to verify that these steps are the appropriate in identifing > this particular problem. I'd prefer if we could somehow just make the serial number increment automatically. I've fought against having the signer do this in the past as the signer should just add/alter the SIG and NXT records, but now there is the DS which is as significant a difference to the signer as the server. I.e., the inclusion of the SIG / NXT depends on what is in the zone data [master file] alone, the DNS depends on that plus another stream of input - the child's key(s). This is part of where I think DNSSEC hasn't been simplified enough just yet. E.g., when I'm running a registry zone (new term, meaning a zone a'la 192.in-addr.arpa or .nl) I will constantly be resigning it just because of the new key sets being streamed in. The gotcha is that I still need to 'vi' the file to alter that stinkin' serial number even though I'm not altering the original zone file - and that's just counter-intuitive. Grumble. I'm going to go over there and sit on that rock for a a while and sulk. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer