From aa604bda9ac727af37e41f2a48d4ac7b1d2cf398 Mon Sep 17 00:00:00 2001 From: Berwn Date: Tue, 16 Jun 2026 18:59:45 +0700 Subject: [PATCH] Switch ns1 zone serial-policy to unixtime dateserial (YYYYMMDDnn) only has a 2-digit same-day counter held in Knot's journal; a journal reset restarted the counter and let ns1 mint a serial ns2 had already seen with older content, so ns2 never retransferred. unixtime is strictly monotonic per reload, eliminating the shared-serial collision. --- machines/ns1/configuration.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/machines/ns1/configuration.nix b/machines/ns1/configuration.nix index a304ceb..82b2a5d 100644 --- a/machines/ns1/configuration.nix +++ b/machines/ns1/configuration.nix @@ -65,15 +65,17 @@ in # ns1 = primary (master): loads each zone from its file and serves it to ns2. # zonefile-load = difference-no-serial lets us edit records without touching the - # SOA serial; Knot diffs the file, assigns a date-based serial, signs the zone, - # then notifies ns2 and lets it pull the signed zone via AXFR/IXFR. + # SOA serial; Knot diffs the file, assigns a unixtime serial, signs the zone, + # then notifies ns2 and lets it pull the signed zone via AXFR/IXFR. unixtime is + # strictly monotonic per reload, so two zone versions can never share a serial + # (the failure mode dateserial's 2-digit daily counter allowed after a journal reset). services.knot.settings.zone = map (d: { domain = d; file = ../../modules/dns/zones + "/${d}.zone"; "zonefile-load" = "difference-no-serial"; "zonefile-sync" = "-1"; "journal-content" = "all"; # required by difference-no-serial; holds the live signed zone - "serial-policy" = "dateserial"; + "serial-policy" = "unixtime"; "dnssec-signing" = true; "dnssec-policy" = "cnx"; notify = [ "ns2" ];