Bug 804619

Summary: DNS zone serial number is not updated
Product: Red Hat Enterprise Linux 6 Reporter: Petr Spacek <pspacek>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.2CC: chris.jutting, grajaiya, jgalipea, mkosek, pspacek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-1.el6 Doc Type: Enhancement
Doc Text:
Feature: Automatically increase SOA serial number when a DNS zone managed by Identity Management any record in the zone is updated. This feature takes advantage of and requires persistent search data refresh mechanism, which is enabled by default in the Identity Management server install script. Reason: Administrator could not configure a slave DNS server as it cannot function properly unless SOA serial number is changed every time a DNS record is changed. Result (if any): bind-dyndb-ldap plugin used to provision data from Identity Management DNS tree to the BIND Name Server updates DNS zone SOA serial number every time when the DNS zone or its record is modified, thus allowing Administrators to configure a slave DNS server for zones managed by Identity Management.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:10:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 766233    

Description Petr Spacek 2012-03-19 12:56:05 UTC 
Description of problem:
Zone serial number is not incremented after adding DNS record. (Same problem probably occurs with all DNS operations.)

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64
bind-9.7.3-8.P3.el6.x86_64
bind-dyndb-ldap-0.2.0-7.el6.x86_64

How reproducible:
Add any DNS record and watch DNS zone serial number.

Steps to Reproduce:
1. ipa dnszone-show localnet
2. ipa dnsrecord-add localnet test3 --a-rec=1.2.3.4
3. ipa dnszone-show localnet
  
Actual results:
# ipa dnszone-show localnet
  Zone name: localnet
  Authoritative nameserver: el621.localnet.
  Administrator e-mail address: root.el621.localnet.
  SOA serial: 2012190301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE

# ipa dnsrecord-add localnet test3 --a-rec=1.2.3.4 
  Record name: test3
  A record: 1.2.3.4

# ipa dnszone-show localnet
  Zone name: localnet
  Authoritative nameserver: el621.localnet.
  Administrator e-mail address: root.el621.localnet.
  SOA serial: 2012190301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE

Expected results:
"SOA serial" value was incremented.

Additional info:
BIND LDAP plugin only read value from LDAP. SOA serial # change has to be handled in UI (or via dirsrv plugin?).
Comment 1 Petr Spacek 2012-03-19 13:00:42 UTC 
Correct SOA record are necessary for various DNS utilities. E.g. zone transfers (and DNSSEC "Inline Signing" in newer BIND versions).
Comment 3 Martin Kosek 2012-03-20 08:36:22 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2554
Comment 4 Rob Crittenden 2012-04-10 14:37:04 UTC 
*** Bug 811248 has been marked as a duplicate of this bug. ***
Comment 5 Martin Kosek 2012-09-18 07:37:02 UTC 
Fixed upstream.

master:
9d69db80a3d1fc46236a4546988176cdd7939b82
67dbde01567f5df414d4e5f6ac694c9b04170c45
e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f
8c7556db8339cf64f1c80e4ffec30ac3646f177e

SOA serial autoincrement attribute is now automatically updated by bind-dyndb-ldap whenever an DNS entry is added or modified.

Please note, that in order to avoid replication issues, SOA serial attribute (idnsSOAserial) had to be added to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Thus, resulting serial number may be different between different IPA replicas with DNS support.
Comment 7 Namita Soman 2012-12-18 03:45:39 UTC 
Verified using:ipa-server-3.0.0-11.el6.x86_64

test output:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz804619 DNS zone serial number is not updated
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

 Zone name: testrelm.com
  Authoritative nameserver: nightcrawler.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1355368096
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Running 'ipa dnszone-show testrelm.com'
  Record name: dns175
  A record: 192.168.0.1
:: [   PASS   ] :: Running 'ipa dnsrecord-add testrelm.com dns175 --a-rec=192.168.0.1'
:: [   PASS   ] :: idnssoaserial has changed as expected, GOT:  1355368101
Comment 9 errata-xmlrpc 2013-02-21 09:10:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html