[Freeipa-devel] DNS SOA serial managed by 389 DS plugin: design

Petr Spacek pspacek at redhat.com
Mon Feb 11 14:37:58 UTC 2013 

Hello,

please take a look at

http://freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation

Overview & chapter IPA 3.0 summarize current state and problems. Next chapter 
contains proposal combined from Simo's and my ideas. User interface part is 
still an open question. Any ideas are welcome!

I copied only 3.1 part to make e-mail shorter:



  Design in IPA 3.1

Move SOA serial maintenance from bind-dyndb-ldap to (new?) 389 DS plugin: IPA 
ticket #3347.

DS plugin watches cn=dns sub-tree for changes.

Any change in DNS record in this subtree will increment idnsSOAserial 
attribute in record's parent zone.


Basic idea

if objectClass is idnsConfig
     change is ignored and idnsSOAserial is not incremented
else if objectClass is idnsZone
     increment idnsSOAserial in the same object
else if objectClass is idnsRecord
     increment idnsSOAserial in object's immediate parent
     e.g. change in idnsName=test, idnsName=example.com, cn=dns will increment 
idnsSOAserial in object idnsName=example.com, cn=dns
     if parent's objectClass is not idnsZone
          log an error (This should never happen :-))


SOA serial incrementation algorithm

OLDserial = actual idnsSOAserial value
timestamp = actual UNIX timestamp
if (OLDserial != timestamp)
     newSerial = timestamp
else
     newSerial = oldSerial + 1
Write newSerial value to particular idnsSOAserial attribute


Implementation details

BIND does direct SOA serial update (not trigerred by serial autoincrement 
feature) after any dynamic update. We have to catch those attempts and ignore 
them:

     A plugin can intercept any modify and manipulate it, including 
suppressing changes to SOA Serial.
     It should be possible to catch & discard SOA serial modifications inside 
BIND. This will save some load from LDAP server.


Possible optimization

Increment serial value at most once per second.

Basic idea: Write current timestamp (no incrementation) and write serial value 
to the database with one second delay.

Problem: How to solve LDAP server crash? Write timestamp immediately and 
(while reading) subtract 1 if timestamp == serial?

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list