zone reload command without changing the SOA number can put cascade server into weird state. #476
Description
When enabled serial-policy = "keep" for policy, Cascaded can went into error when the reload command is ran without change the SOA.
Success Case:
- update the SOA on zone file,
- run "cascade zone reload $zone"
- zone updated properly.
Failed Case.
- run "cascade zone reload $zone" without updating the SOA
- zone "locked" with error and cannot be update again unless restart cascaded
expected behavior:
Cascaded should be able to reload the zone again once the SOA number updated properly, and the http-remote control should still accept reload command.
log
root@CIRA-20240001:/var/lib/cascade/zone-state# cascade zone status example.test
Status report for zone 'example.test' using policy 'ecdsa-policy'
✔ Waited for a new version of the example.test zone
✔ Loaded version 6
Loaded at 2026-02-23T10:47:45 (3s ago)
Loaded 170 B and 3 records from the filesystem in 0 seconds
✔ Auto approving signing of version 6, no checks enabled in policy.
✔ Approval received to sign version 6, signing requested
✔ Signed version 6 as version 6
Signing requested at 2026-02-23T10:47:45 (3s ago)
Signing started at 2026-02-23T10:47:45 (3s ago)
Signing finished at 2026-02-23T10:47:45 (3s ago)
Collected 3 records in 0s, sorted in 0s
Generated 3 NSEC(3) records in 0s
Generated 6 signatures in 0s (6 sig/s)
Inserted signatures in 0s (6 sig/s)
Took 0s in total, using 2 threads
Current action: Finished
✔ Auto approving publication of version 6, no checks enabled in policy.
✔ Published version 6
Published zone available on 127.0.0.1:4543
root@CIRA-20240001:/var/lib/cascade/zone-state# cascade zone reload example.test
Success: Sent zone reload command for example.test
root@CIRA-20240001:/var/lib/cascade/zone-state# cascade zone status example.test
Status report for zone 'example.test' using policy 'ecdsa-policy'
✔ Waited for a new version of the example.test zone
✔ Loaded version 6
Loaded at 2026-02-23T10:47:50 (2s ago)
Loaded 170 B and 3 records from the filesystem in 0 seconds
✔ Auto approving signing of version 6, no checks enabled in policy.
✔ Approval received to sign version 6, signing requested
✔ Signed version 6 as version 6
Signing requested at 2026-02-23T10:47:50 (8s ago)
Signing started at 2026-02-23T10:47:50 (8s ago)
Signing finished at 2026-02-23T10:47:50 (8s ago)
Collected 3 records in 0s, sorted in 0s
Generated 3 NSEC(3) records in 0s
Generated 6 signatures in 0s (6 sig/s)
Inserted signatures in 0s (6 sig/s)
Took 0s in total, using 2 threads
Current action: Finished
✔ Auto approving publication of version 6, no checks enabled in policy.
✔ Published version 6
Published zone available on 127.0.0.1:4543
**x The pipeline for this zone is hard halted due to a serious error:
x Serial policy is Keep but upstream serial did not increase**
root@CIRA-20240001:/var/lib/cascade/zone-state# cascade zone reload example.test
2026-02-23T15:48:08.074451Z ERROR cascade: Error: Failed to reload zone: the zone has been halted (reason: Serial policy is Keep but upstream serial did not increase)
our example policy file:
root@CIRA-20240001:/var/lib/cascade/zone-state# cat /etc/cascade/policies/ecdsa-policy.toml
version = "v1"
[key-manager.generation]
# Use the existing SoftHSM-backed KMIP server
hsm-server-id = "kmip2pkcs11"
# ECDSA P-256
algorithm = "ECDSAP256SHA256"
[signer]
signature-inception-offset = "1d"
signature-lifetime = "2w"
signature-remain-time = "1w"
serial-policy = "keep"
[signer.denial]
type = "nsec3"
# NSEC3 parameters
# THIS enables opt-out
opt-out = true