[Freeipa-devel] DNS zone serial number updates [#2554]

[Petr Spacek]

Hello,

there is IPA ticket #2554 "DNS zone serial number is not updated" [1], 
which is required by RFE "Support zone transfers in bind-dyndb-ldap" [2].

I think we need to discuss next steps with this issue:

Basic support for zone transfers is already done in bind-dyndb-ldap. We 
need second part - correct behaviour during SOA serial number update.

Bind-dyndb-ldap plugin handles dynamic update in correct way (each 
update increment serial #), so biggest problem lays in IPA for now.

Modifying SOA serial number can be pretty hard, because of DS 
replication. There are potential race conditions, if records are 
modified/added/deleted on two or more places, replication takes some 
time (because of network connection latency/problem) and zone transfer 
is started in meanwhile.

Question is: How consistent we want to be? Can we accept these 
absolutely improbable race conditions? It will be probably corrected by 
next SOA update = by (any) next record change. It won't affect normal 
operations, only zone transfers.
(IMHO we should consider DNS "nature": In general is not strictly 
consistent, because of massive caching at every level.)

If it's acceptable, we can suppress explicit SOA serial number value in 
LDAP and derive actual value from latest modifyTimestamp value from all 
objects in cn=dns subtree. This approach saves some hooks in IPA's LDAP 
update code and will save problems with manual modifications.

Persistent search will be (probably) required for effective implementation.
I think it's not a problem, because DNSSEC will require (with very high 
probability) persistent search for generating NSEC/NSEC3 records.

[1] https://fedorahosted.org/freeipa/ticket/2554

[2] https://bugzilla.redhat.com/show_bug.cgi?id=766233


Please, post your opinions about DNS consistency strictness.

Petr^2 Spacek