Bug 804619 - DNS zone serial number is not updated
Summary: DNS zone serial number is not updated
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
URL:
Whiteboard:
: 811248 (view as bug list)
Depends On:
Blocks: 766233
TreeView+ depends on / blocked
 
Reported: 2012-03-19 12:56 UTC by Petr Spacek
Modified: 2015-05-20 15:12 UTC (History)
5 users (show)

Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Enhancement
Doc Text:
Feature: Automatically increase SOA serial number when a DNS zone managed by Identity Management any record in the zone is updated. This feature takes advantage of and requires persistent search data refresh mechanism, which is enabled by default in the Identity Management server install script. Reason: Administrator could not configure a slave DNS server as it cannot function properly unless SOA serial number is changed every time a DNS record is changed. Result (if any): bind-dyndb-ldap plugin used to provision data from Identity Management DNS tree to the BIND Name Server updates DNS zone SOA serial number every time when the DNS zone or its record is modified, thus allowing Administrators to configure a slave DNS server for zones managed by Identity Management.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:10:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Petr Spacek 2012-03-19 12:56:05 UTC 
Description of problem:
Zone serial number is not incremented after adding DNS record. (Same problem probably occurs with all DNS operations.)

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64
bind-9.7.3-8.P3.el6.x86_64
bind-dyndb-ldap-0.2.0-7.el6.x86_64

How reproducible:
Add any DNS record and watch DNS zone serial number.

Steps to Reproduce:
1. ipa dnszone-show localnet
2. ipa dnsrecord-add localnet test3 --a-rec=1.2.3.4
3. ipa dnszone-show localnet
  
Actual results:
# ipa dnszone-show localnet
  Zone name: localnet
  Authoritative nameserver: el621.localnet.
  Administrator e-mail address: root.el621.localnet.
  SOA serial: 2012190301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE

# ipa dnsrecord-add localnet test3 --a-rec=1.2.3.4 
  Record name: test3
  A record: 1.2.3.4

# ipa dnszone-show localnet
  Zone name: localnet
  Authoritative nameserver: el621.localnet.
  Administrator e-mail address: root.el621.localnet.
  SOA serial: 2012190301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE

Expected results:
"SOA serial" value was incremented.

Additional info:
BIND LDAP plugin only read value from LDAP. SOA serial # change has to be handled in UI (or via dirsrv plugin?).
Comment 1 Petr Spacek 2012-03-19 13:00:42 UTC 
Correct SOA record are necessary for various DNS utilities. E.g. zone transfers (and DNSSEC "Inline Signing" in newer BIND versions).
Comment 3 Martin Kosek 2012-03-20 08:36:22 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2554
Comment 4 Rob Crittenden 2012-04-10 14:37:04 UTC 
*** Bug 811248 has been marked as a duplicate of this bug. ***
Comment 5 Martin Kosek 2012-09-18 07:37:02 UTC 
Fixed upstream.

master:
9d69db80a3d1fc46236a4546988176cdd7939b82
67dbde01567f5df414d4e5f6ac694c9b04170c45
e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f
8c7556db8339cf64f1c80e4ffec30ac3646f177e

SOA serial autoincrement attribute is now automatically updated by bind-dyndb-ldap whenever an DNS entry is added or modified.

Please note, that in order to avoid replication issues, SOA serial attribute (idnsSOAserial) had to be added to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Thus, resulting serial number may be different between different IPA replicas with DNS support.
Comment 7 Namita Soman 2012-12-18 03:45:39 UTC 
Verified using:ipa-server-3.0.0-11.el6.x86_64

test output:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz804619 DNS zone serial number is not updated
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

 Zone name: testrelm.com
  Authoritative nameserver: nightcrawler.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1355368096
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Running 'ipa dnszone-show testrelm.com'
  Record name: dns175
  A record: 192.168.0.1
:: [   PASS   ] :: Running 'ipa dnsrecord-add testrelm.com dns175 --a-rec=192.168.0.1'
:: [   PASS   ] :: idnssoaserial has changed as expected, GOT:  1355368101
Comment 9 errata-xmlrpc 2013-02-21 09:10:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.