Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones (with huge amount of changes). But if I make a change I actually see it on different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like it's not a working idea, or is it?
On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones (with huge amount of changes). But if I make a change I actually see it on different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like it's not a working idea, or is it?
If you are not using slave DNS masters on separate servers, then each IPA master with DNS becomes own authoritative master and has own (so-called 'locally significant') SOA value. This is default in IPA DNS deployment.
From bind-dyndb-ldap's README.md:
* idnsSOAserial
SOA serial number. It is automatically incremented after each change in LDAP. External changes done by other LDAP clients are detected via RFC 4533 (so-called syncrepl).
If serial number is lower than current UNIX timestamp, then it is set to the timestamp value. If SOA serial is greater or equal to current timestamp, then the serial is incremented by one. (This is equivalent to BIND option 'serial-update-method unix'.)
In multi-master LDAP environments it is recommended to make idnsSOAserial attribute non-replicated (locally significant). It is recommended not to use multiple masters for single slave zone if SOA serial is locally significant because serial numbers between masters aren't synchronized. It will cause problems with zone transfers from multiple masters to single slave.
T
On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones (with huge amount of changes). But if I make a change I actually see it on different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like it's not a working idea, or is it?
If you are not using slave DNS masters on separate servers, then each IPA master with DNS becomes own authoritative master and has own (so-called 'locally significant') SOA value. This is default in IPA DNS deployment.
From bind-dyndb-ldap's README.md:
idnsSOAserial
SOA serial number. It is automatically incremented after each
change in LDAP. External changes done by other LDAP clients are detected via RFC 4533 (so-called syncrepl).
If serial number is lower than current UNIX timestamp, then it is set to the timestamp value. If SOA serial is greater or equal to current timestamp, then the serial is incremented by one. (This is equivalent to BIND option 'serial-update-method unix'.) In multi-master LDAP environments it is recommended to make idnsSOAserial attribute non-replicated (locally significant). It is recommended not to use multiple masters for single slave zone if SOA serial is locally significant because serial numbers between masters aren't synchronized. It will cause problems with zone transfers from multiple masters to single slave.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Thanks a lot!
On Wed, May 29, 2019 at 4:06 PM Andrey Bondarenko me@andreybondarenko.com wrote:
T
On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone
by
chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some
zones
(with huge amount of changes). But if I make a change I actually see it
on
different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like
it's
not a working idea, or is it?
If you are not using slave DNS masters on separate servers, then each IPA master with DNS becomes own authoritative master and has own (so-called 'locally significant') SOA value. This is default in IPA DNS deployment.
From bind-dyndb-ldap's README.md:
idnsSOAserial
SOA serial number. It is automatically incremented after each
change in LDAP. External changes done by other LDAP clients are detected via RFC 4533 (so-called syncrepl).
If serial number is lower than current UNIX timestamp, then it is set to the timestamp value. If SOA serial is greater or
equal to current timestamp, then the serial is incremented by one. (This is equivalent to BIND option 'serial-update-method unix'.)
In multi-master LDAP environments it is recommended to make idnsSOAserial attribute non-replicated (locally significant). It is recommended not to use multiple masters for single slave
zone if SOA serial is locally significant because serial numbers between masters aren't synchronized. It will cause problems with zone transfers from multiple masters to single slave.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
--
With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
freeipa-users@lists.fedorahosted.org