TOn Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
>Hello,
>
>Is the SOA generation algorithm for zones documented anywhere or anyone by
>chance knows what it is?
>
>We have cluster of 8 nodes and SOA is different on some IPAs in some zones
>(with huge amount of changes). But if I make a change I actually see it on
>different IPA.
>
>Also, restarting IPA increases SOA by 1.
>
>We wanted to relay on SOA on our DNS consistency check but seems like it's
>not a working idea, or is it?
If you are not using slave DNS masters on separate servers, then each
IPA master with DNS becomes own authoritative master and has own
(so-called 'locally significant') SOA value. This is default in IPA DNS
deployment.
From bind-dyndb-ldap's README.md:
* idnsSOAserial
SOA serial number. It is automatically incremented after each change
in LDAP. External changes done by other LDAP clients are detected via
RFC 4533 (so-called syncrepl).
If serial number is lower than current UNIX timestamp, then
it is set to the timestamp value. If SOA serial is greater or equal
to current timestamp, then the serial is incremented by one.
(This is equivalent to BIND option 'serial-update-method unix'.)
In multi-master LDAP environments it is recommended to make
idnsSOAserial attribute non-replicated (locally significant).
It is recommended not to use multiple masters for single slave zone
if SOA serial is locally significant because serial numbers between
masters aren't synchronized. It will cause problems with zone
transfers from multiple masters to single slave.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--With best regards, Andrey Bondarenko mail:me@andreybondarenko.com https://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-4437758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
With best regards, Andrey Bondarenko mail:me@andreybondarenko.com https://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B