On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
>Hello,
>
>Is the SOA generation algorithm for zones documented anywhere or anyone by
>chance knows what it is?
>
>We have cluster of 8 nodes and SOA is different on some IPAs in some zones
>(with huge amount of changes). But if I make a change I actually see it on
>different IPA.
>
>Also, restarting IPA increases SOA by 1.
>
>We wanted to relay on SOA on our DNS consistency check but seems like it's
>not a working idea, or is it?
If you are not using slave DNS masters on separate servers, then each
IPA master with DNS becomes own authoritative master and has own
(so-called 'locally significant') SOA value. This is default in IPA DNS
deployment.

From bind-dyndb-ldap's README.md:

* idnsSOAserial

        SOA serial number. It is automatically incremented after each change
        in LDAP. External changes done by other LDAP clients are detected via
        RFC 4533 (so-called syncrepl).

        If serial number is lower than current UNIX timestamp, then
        it is set to the timestamp value. If SOA serial is greater or equal
        to current timestamp, then the serial is incremented by one.
        (This is equivalent to BIND option 'serial-update-method unix'.)

        In multi-master LDAP environments it is recommended to make
        idnsSOAserial attribute non-replicated (locally significant).
        It is recommended not to use multiple masters for single slave zone
        if SOA serial is locally significant because serial numbers between
        masters aren't synchronized. It will cause problems with zone
        transfers from multiple masters to single slave.




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland