BIND Inline-Signing Serial Numbers Cruncher

I know that BIND correctly changes the serial numbers of zones when it is enabled with inline signing and auto-dnssec. However, I got confused one more time as I looked on some of my SOA records. So, just for the record, here is an example how the serial numbers increase while the admin has not changed anything manually on the zone files.

[This blogpost is part of a series about DNSSEC. Refer to this structured list for all articles.]

Following are three sections that each show the real zone file directly on the server directory ( cat db.sshfp.net ) as well as the SOA record as it is delivered by the authoritative DNS server ( dig sshfp.net soa +multi @ns1.weberdns.de ).

One more sentence about the inline signing process from BIND: “Inline signing works by taking the zone file you manually maintain, transforming it into a dynamic zone, and signing the dynamic zone. DNSSEC changes are made to the journal file. As a result of this, the serial number shown to the world can differ from the serial number in your file“, Michael W. Lucas.

Section One

This is the zone file which was not touched for several weeks. Note the serial of 2016090105:

While the actual SOA record looked like this (serial 2016090133!):

 

Section Two

After I increased the serial number by one (though it was not the correct date, but I wanted to test it this way),

the actual SOA record was increased by one, too:

 

Section Three

Finally I changed something within the zone and set the serial number to the correct date and to a counter of 01. After a reload of the zone, the actual SOA record had exactly the same serial number since there was no automatic signing event in the meantime.

 

That’s it. So don’t get confused by your own serial numbers. ;)

Featured image: “Serial number plate” by Kirill Ignatyev  is licensed under CC BY-NC 2.0.

One thought on “BIND Inline-Signing Serial Numbers Cruncher

  1. The default “serial-update-method” is ‘increment’ which does exactly that. Change to ‘unixtime’, say, for better granularity. (See BV9ARM)

Leave a Reply

Your email address will not be published. Required fields are marked *