Quantcast
Channel: Johannes Weber – Weberblog.net
Viewing all articles
Browse latest Browse all 311

BIND Inline-Signing Serial Numbers Cruncher

$
0
0
"Serial number plate" by Kirill Ignatyev  is licensed under CC BY-NC 2.0

I know that BIND correctly changes the serial numbers of zones when it is enabled with inline signing and auto-dnssec. However, I got confused one more time as I looked on some of my SOA records. So, just for the record, here is an example how the serial numbers increase while the admin has not changed anything manually on the zone files.

Following are three sections that each show the real zone file directly on the server directory (

cat db.sshfp.net
 ) as well as the SOA record as it is delivered by the authoritative DNS server (
dig sshfp.net soa +multi @ns1.weberdns.de
 ).

One more sentence about the inline signing process from BIND: “Inline signing works by taking the zone file you manually maintain, transforming it into a dynamic zone, and signing the dynamic zone. DNSSEC changes are made to the journal file. As a result of this, the serial number shown to the world can differ from the serial number in your file“, Michael W. Lucas.

Section One

This is the zone file which was not touched for several weeks. Note the serial of 2016090105:

weberjoh@jw-vm16-ns0:/etc/bind$ cat db.sshfp.net
;
; BIND data file for sshfp.net
;
$TTL 1d
@       IN      SOA     ns1.weberdns.de. webmaster.weberdns.de. (
                     2016090105         ; Serial
                             1h         ; Refresh
                            15m         ; Retry
                             4w         ; Expire
                             3m )       ; Negative Cache TTL
;

While the actual SOA record looked like this (serial 2016090133!):

weberjoh@jw-nb12-lx:~$ dig sshfp.net soa +multi

;; ANSWER SECTION:
sshfp.net.              86396 IN SOA ns1.weberdns.de. webmaster.weberdns.de. (
                                2016090133 ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                2419200    ; expire (4 weeks)
                                180        ; minimum (3 minutes)
                                )

 

Section Two

After I increased the serial number by one (though it was not the correct date, but I wanted to test it this way),

weberjoh@jw-vm16-ns0:/etc/bind$ cat db.sshfp.net
;
; BIND data file for sshfp.net
;
$TTL 1d
@       IN      SOA     ns1.weberdns.de. webmaster.weberdns.de. (
                     2016090106         ; Serial
                             1h         ; Refresh
                            15m         ; Retry
                             4w         ; Expire
                             3m )       ; Negative Cache TTL
;

the actual SOA record was increased by one, too:

weberjoh@jw-nb12-lx:~$ dig sshfp.net soa +multi @ns1.weberdns.de

;; ANSWER SECTION:
sshfp.net.              86400 IN SOA ns1.weberdns.de. webmaster.weberdns.de. (
                                2016090134 ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                2419200    ; expire (4 weeks)
                                180        ; minimum (3 minutes)
                                )

 

Section Three

Finally I changed something within the zone and set the serial number to the correct date and to a counter of 01. After a reload of the zone, the actual SOA record had exactly the same serial number since there was no automatic signing event in the meantime.

weberjoh@jw-vm16-ns0:/etc/bind$ cat db.sshfp.net
;
; BIND data file for sshfp.net
;
$TTL 1d
@       IN      SOA     ns1.weberdns.de. webmaster.weberdns.de. (
                     2016111501         ; Serial
                             1h         ; Refresh
                            15m         ; Retry
                             4w         ; Expire
                             3m )       ; Negative Cache TTL
;

weberjoh@jw-nb12-lx:~$ dig sshfp.net soa +multi @ns1.weberdns.de

;; ANSWER SECTION:
sshfp.net.              86400 IN SOA ns1.weberdns.de. webmaster.weberdns.de. (
                                2016111501 ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                2419200    ; expire (4 weeks)
                                180        ; minimum (3 minutes)
                                )

 

That’s it. So don’t get confused by your own serial numbers. 😉

Featured image: “Serial number plate” by Kirill Ignatyev  is licensed under CC BY-NC 2.0.


Viewing all articles
Browse latest Browse all 311

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>