Moving to a better DNS serial numbering scheme

The serial is used by slaves to determine whether the zonefile they have is the same revision that the master holds. When the master's serial is incremented, they know that they have to AXFR a new copy. The only harm will come from decrementing because the slaves will think they have a later revision than the master is holding.

There are two solutions to this. The simplest is to decrement your master, remove copies from the slaves and then have them reload. However this won't work if you're not in full control of the slaves. In which case a solution is provided in the Reference Manual.

Add 2147483647 (2^31-1) to the number, reload the zone and make sure all slaves have updated to the new zone serial number, then reset the number to what you want it to be, and reload the zone again.

Just of note, it's best to use the last two digits of the serial to store a revision, rather than seconds. ie YYYYMMDDRR. This allows to you make multiple updates within the same day.

I've used some "magic" DNS serial number arithmetic to move back to the more regular YYYYMMDDSS scheme, I did however have the safety net of beeing able to go and manually force slaves into submission and flush caches if need be.

RFC 1982 defines a maximum increment of 2147483647 (2^31 - 1) and the DNS & Bind Cookbook has a recipe for resetting the serial in this way. Basically add max increment to your current serial, reload your zone, wait for slaves to pick up the change, change serial to something you want and reload your zone again.

Incrementing is safe, as x > y is the test, however to decrement you often need control of all slaves to force them to load (what they think of as) an old zone.

It depends on the slaves, but for Bind the easiest way is to stop, rm the slave file and start. You can force a reload via RNDC if you want to learn that.