[dns-operations] BIND, Knot and NSD behaviour when serial number goes backwards

Paul Vixie paul at redbarn.org
Mon Feb 20 16:43:51 UTC 2017

Shane Kerr wrote:
> ... not all servers use TSIG to
> secure NOTIFY (indeed I vaguely remember BIND 9 not supporting TSIG on
> NOTIFY packets, although I see ways to configure it in the BIND 9 ARM
> now). So while the serial version in a NOTIFY packet might be a
> helpful hint, ...

there is no need for tsig in notify.

signed or not it's only a hint. an SOA query still has to be made.

the serial# in a NOTIFY will often be out of date by the time an IXFR
can start.

P Vixie

More information about the dns-operations mailing list