[Freeipa-devel] DNS SOA serial managed by 389 DS plugin: design

Mon, 11 Feb 2013 06:38:27 -0800 

Hello,

please take a look at

http://freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
Overview & chapter IPA 3.0 summarize current state and problems. Next chapter contains proposal combined from Simo's and my ideas. User interface part is still an open question. Any ideas are welcome! 

I copied only 3.1 part to make e-mail shorter:



 Design in IPA 3.1
Move SOA serial maintenance from bind-dyndb-ldap to (new?) 389 DS plugin: IPA ticket #3347. 

DS plugin watches cn=dns sub-tree for changes.
Any change in DNS record in this subtree will increment idnsSOAserial attribute in record's parent zone. 


Basic idea

if objectClass is idnsConfig
    change is ignored and idnsSOAserial is not incremented
else if objectClass is idnsZone
    increment idnsSOAserial in the same object
else if objectClass is idnsRecord
    increment idnsSOAserial in object's immediate parent
e.g. change in idnsName=test, idnsName=example.com, cn=dns will increment idnsSOAserial in object idnsName=example.com, cn=dns 
    if parent's objectClass is not idnsZone
         log an error (This should never happen :-))


SOA serial incrementation algorithm

OLDserial = actual idnsSOAserial value
timestamp = actual UNIX timestamp
if (OLDserial != timestamp)
    newSerial = timestamp
else
    newSerial = oldSerial + 1
Write newSerial value to particular idnsSOAserial attribute


Implementation details
BIND does direct SOA serial update (not trigerred by serial autoincrement feature) after any dynamic update. We have to catch those attempts and ignore them:
A plugin can intercept any modify and manipulate it, including suppressing changes to SOA Serial. It should be possible to catch & discard SOA serial modifications inside BIND. This will save some load from LDAP server. 


Possible optimization

Increment serial value at most once per second.
Basic idea: Write current timestamp (no incrementation) and write serial value to the database with one second delay.
Problem: How to solve LDAP server crash? Write timestamp immediately and (while reading) subtract 1 if timestamp == serial? 

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to