In preparation for a bunch of questions which are bound to arise, I thought
I'd try and document what the
SOA-EDIT parameter in the domainmetadata table does.
(We've seen this table before, when we discussed how PowerDNS can modify
incoming zone transfers on the fly.)
SOA-EDIT parameter is set on a per/domain basis. It tells PowerDNS
how it should modify the SOA serial number when it is queried for an SOA record
of a domain or when it serves the zone in an outgoing zone transfer (AXFR). As
an example, here's how it is set for a zone:
SELECT d.name, m.kind, m.content FROM domains d, domainmetadata m WHERE d.id = m.domain_id AND d.name = 'a.aa'; +------+-------------+-----------------+ | name | kind | content | +------+-------------+-----------------+ | a.aa | SOA-EDIT | INCREMENT-WEEKS | +------+-------------+-----------------+
There are five possible values for kind. From the documentation:
- INCEPTION sets the SOA Serial to the current two-week signing period start in YYYYMMDD01 format,
- INCEPTION-WEEK sets it to the number of weeks since the epoch,
- INCREMENT-WEEKS increments the serial with the number of weeks since the epoch,
- EPOCH is the number of seconds since the epoch, and
- INCEPTION-EPOCH is a bit special: it sets the new SOA serial number to the maximum of the old SOA serial number, and age in seconds of the start of the current signing period.
But what exactly does that mean?
Let's see an example based on typical SOA serial numbers. The following query obtains
the SOA record of a zone. The first number (
1) is the serial number as added to the database.
$ dig a.aa soa dns3.example.com. jp.example.com. 1 7200 3600 3600 3600
The following diagram
shows (at the top) the serial number contained in the PowerDNS back-end
database I use and, at the bottom, the resulting serial number served by
PowerDNS depending on the content of the
SOA-EDIT setting for the
particular zone. I've used two typical notations. I personally prefer an
integer I increment whenever I modify a zone; others prefer a YYYYMMDDn
notation (or they don't :-). (Note that these "modifications" are made on-the-fly: you won't see
any changes to the data you added to your back-end database tables.)
I've taken the liberty of emphasising the methods I believe are safest in terms of producing a different outgoing SOA serial number when it's modified in the database.
If I set
SOA-EDIT to, say,
"EPOCH", querying PowerDNS for the same zone
will produce a quite different serial number:
$ dig a.aa soa dns3.example.com. jp.example.com. 1358531491 7200 3600 3600 3600
Remember, that it is important to increment a serial number when a DNS server is operating as a master server, so that its slaves will (by querying the SOA record) be able to determine that the zone content has changed and will thus re-transfer it.
Some of this is also contained in my DNSSEC reference card, which you might enjoy.