[conspire] AWS & DNS SOA serial numbers

Michael Paoli Michael.Paoli at cal.berkeley.edu
Mon Oct 10 20:25:00 PDT 2016


So,

I've noticed AWS is a bit funky with DNS SOA serial numbers.

They start off with 1 - okay, no big detail (but as others have pointed
out, rather inconvenient and potentially problematic to not be able to
start at a different initial serial number).

Then, when DNS data in the zone is changed, ... uhm, yeah, AWS doesn't
update the SOA serial number.  I've noticed this for a while.  Finally
checked into it a bit further, and found:
https://forums.aws.amazon.com/message.jspa?messageID=221157

So ... kind'a funky & different?  Definitely.
Technically (in)correct?  Not fully sure, I might have to recheck some
RFCs to definitively answer that.

Violates principle of least surprise?  Oh, most definitely.

One generally expects, when *any* DNS data for a zone changes, the SOA
serial number should change - and be "incremented" (per the relevant RFC
logic on that).  There are various schemes that can be used, but all the
common ones allow up to 100 changes per day, and some up to one per
second or more.

So, yes, most are expecting, if DNS data in zone changes, that SOA
serial number will change, and that failure to do so is an "error".
Is it technically, if there are no slaves to pull the zone?
Regardless, definitely violates principle of least surprise.
I can't think of any other example of DNS servers that change their
zone data without updating SOA serial number ... other than when it's
a mistake/oversight.

There is a difference between what technical standards allow, and what
one should do and not do.  Just because it is or may be technically
permissible, doesn't mean it ought be done.

So ... bit curious what folks think about the AWS DNS SOA serial number
situation.





More information about the conspire mailing list