[Freeipa-devel] DNS zone serial number updates [#2554]
Petr Spacek
pspacek at redhat.com
Tue Apr 17 15:49:36 UTC 2012
Hello,
there is IPA ticket #2554 "DNS zone serial number is not updated" [1],
which is required by RFE "Support zone transfers in bind-dyndb-ldap" [2].
I think we need to discuss next steps with this issue:
Basic support for zone transfers is already done in bind-dyndb-ldap. We
need second part - correct behaviour during SOA serial number update.
Bind-dyndb-ldap plugin handles dynamic update in correct way (each
update increment serial #), so biggest problem lays in IPA for now.
Modifying SOA serial number can be pretty hard, because of DS
replication. There are potential race conditions, if records are
modified/added/deleted on two or more places, replication takes some
time (because of network connection latency/problem) and zone transfer
is started in meanwhile.
Question is: How consistent we want to be? Can we accept these
absolutely improbable race conditions? It will be probably corrected by
next SOA update = by (any) next record change. It won't affect normal
operations, only zone transfers.
(IMHO we should consider DNS "nature": In general is not strictly
consistent, because of massive caching at every level.)
If it's acceptable, we can suppress explicit SOA serial number value in
LDAP and derive actual value from latest modifyTimestamp value from all
objects in cn=dns subtree. This approach saves some hooks in IPA's LDAP
update code and will save problems with manual modifications.
Persistent search will be (probably) required for effective implementation.
I think it's not a problem, because DNSSEC will require (with very high
probability) persistent search for generating NSEC/NSEC3 records.
[1] https://fedorahosted.org/freeipa/ticket/2554
[2] https://bugzilla.redhat.com/show_bug.cgi?id=766233
Please, post your opinions about DNS consistency strictness.
Petr^2 Spacek
More information about the Freeipa-devel
mailing list