T On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy <aboko...@redhat.com> wrote:
> On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote: > >Hello, > > > >Is the SOA generation algorithm for zones documented anywhere or anyone by > >chance knows what it is? > > > >We have cluster of 8 nodes and SOA is different on some IPAs in some zones > >(with huge amount of changes). But if I make a change I actually see it on > >different IPA. > > > >Also, restarting IPA increases SOA by 1. > > > >We wanted to relay on SOA on our DNS consistency check but seems like it's > >not a working idea, or is it? > If you are not using slave DNS masters on separate servers, then each > IPA master with DNS becomes own authoritative master and has own > (so-called 'locally significant') SOA value. This is default in IPA DNS > deployment. > > From bind-dyndb-ldap's README.md: > > * idnsSOAserial > > SOA serial number. It is automatically incremented after each > change > in LDAP. External changes done by other LDAP clients are detected > via > RFC 4533 (so-called syncrepl). > > If serial number is lower than current UNIX timestamp, then > it is set to the timestamp value. If SOA serial is greater or equal > to current timestamp, then the serial is incremented by one. > (This is equivalent to BIND option 'serial-update-method unix'.) > > In multi-master LDAP environments it is recommended to make > idnsSOAserial attribute non-replicated (locally significant). > It is recommended not to use multiple masters for single slave zone > if SOA serial is locally significant because serial numbers between > masters aren't synchronized. It will cause problems with zone > transfers from multiple masters to single slave. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
