6:41 a.m.
On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by
chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones
(with huge amount of changes). But if I make a change I actually see it on
different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like it's
not a working idea, or is it?
If you are not using slave DNS masters on separate
servers, then each
IPA master with DNS becomes own authoritative master and has own
(so-called 'locally significant') SOA value. This is default in IPA DNS
deployment.
From bind-dyndb-ldap's README.md:
* idnsSOAserial
SOA serial number. It is automatically incremented after each change
in LDAP. External changes done by other LDAP clients are detected via
RFC 4533 (so-called syncrepl).
If serial number is lower than current UNIX timestamp, then
it is set to the timestamp value. If SOA serial is greater or equal
to current timestamp, then the serial is incremented by one.
(This is equivalent to BIND option 'serial-update-method unix'.)
In multi-master LDAP environments it is recommended to make
idnsSOAserial attribute non-replicated (locally significant).
It is recommended not to use multiple masters for single slave zone
if SOA serial is locally significant because serial numbers between
masters aren't synchronized. It will cause problems with zone
transfers from multiple masters to single slave.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland