Enable SOA serial autoincrement

SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554

6 files changed, 91 insertions, 10 deletions

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index f133b089a..9fdd91319 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -46,4 +46,5 @@ dynamic-db "ipa" {
 	arg "sasl_user DNS/$FQDN";
 	arg "zone_refresh $ZONE_REFRESH";
 	arg "psearch $PERSISTENT_SEARCH";
+	arg "serial_autoincrement $SERIAL_AUTOINCREMENT";
 };
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 6e9b99897..47bffdf83 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -62,6 +62,9 @@ def parse_options():
                       default=0, type="int",
                       help="When set to non-zero the name server will use DNS zone "
                            "detection based on polling instead of a persistent search")
+    parser.add_option("--no-serial-autoincrement", dest="serial_autoincrement",
+                      default=True, action="store_false",
+                      help="Do not enable SOA serial autoincrement")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
 
@@ -85,6 +88,10 @@ def parse_options():
     if options.zone_notif:
         print >>sys.stderr, "WARNING: --zone-notif option is deprecated and has no effect"
 
+    if options.serial_autoincrement and not options.persistent_search:
+        parser.error('persistent search feature is required for '
+                     'DNS SOA serial autoincrement')
+
     return safe_options, options
 
 def main():
@@ -224,7 +231,8 @@ def main():
     bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
                dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr,
                zone_refresh=options.zone_refresh,
-               persistent_search=options.persistent_search)
+               persistent_search=options.persistent_search,
+               serial_autoincrement=options.serial_autoincrement)
     bind.create_instance()
 
     # Restart http instance to make sure that python-dns has the right resolver
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 6dc02f684..d7de70631 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -210,7 +210,10 @@ def parse_options():
                       default=False,
                       help="Do not use DNS for hostname lookup during installation")
     dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
-                      help="do not automatically create DNS SSHFP records")
+                      help="Do not automatically create DNS SSHFP records")
+    dns_group.add_option("--no-serial-autoincrement", dest="serial_autoincrement",
+                      default=True, action="store_false",
+                      help="Do not enable SOA serial autoincrement")
     parser.add_option_group(dns_group)
 
     uninstall_group = OptionGroup(parser, "uninstall options")
@@ -304,6 +307,10 @@ def parse_options():
     elif options.zone_refresh > 0:
         options.persistent_search = False   # mutually exclusive features
 
+    if options.serial_autoincrement and not options.persistent_search:
+        parser.error('persistent search feature is required for '
+                     'DNS SOA serial autoincrement')
+
     if options.zone_notif:
         print >>sys.stderr, "WARNING: --zone-notif option is deprecated and has no effect"
 
@@ -1036,7 +1043,8 @@ def main():
     bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders,
                options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
                zone_refresh=options.zone_refresh,
-               persistent_search=options.persistent_search)
+               persistent_search=options.persistent_search,
+               serial_autoincrement=options.serial_autoincrement)
     if options.setup_dns:
         api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
 
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 248232ac6..b82f039d4 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -302,7 +302,7 @@ def upgrade_httpd_selinux(fstore):
     http = httpinstance.HTTPInstance(fstore)
     http.configure_selinux_for_httpd()
 
-def enable_psearch_for_named():
+def named_enable_psearch():
     """
     From IPA 3.0, persistent search is a preferred mechanism for new DNS zone
     detection and is also needed for other features (DNSSEC, SOA serial
@@ -322,11 +322,13 @@ def enable_psearch_for_named():
         return
 
     try:
-        psearch = bindinstance.named_conf_get_directive('psearch').lower()
+        psearch = bindinstance.named_conf_get_directive('psearch')
     except IOError, e:
         root_logger.debug('Cannot retrieve psearch option from %s: %s',
                 bindinstance.NAMED_CONF, e)
         return
+    else:
+        psearch = None if psearch is None else psearch.lower()
     if not sysupgrade.get_upgrade_state('named.conf', 'psearch_enabled'):
         if psearch != "yes":
             try:
@@ -343,7 +345,8 @@ def enable_psearch_for_named():
     # make sure number of connections is right
     minimum_connections = 2
     if psearch == 'yes':
-        minimum_connections = 3
+        # serial_autoincrement increased the minimal number of connections to 4
+        minimum_connections = 4
     try:
         connections = bindinstance.named_conf_get_directive('connections')
     except IOError, e:
@@ -373,6 +376,59 @@ def enable_psearch_for_named():
         root_logger.debug('No changes made')
     return changed
 
+def named_enable_serial_autoincrement():
+    """
+    Serial autoincrement is a requirement for zone transfers or DNSSEC. It
+    should be enabled both for new installs and upgraded servers.
+
+    When some change in named.conf is done, this functions returns True
+    """
+    changed = False
+
+    root_logger.info('[Enabling serial autoincrement in DNS]')
+
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.debug('DNS not configured')
+        return changed
+
+    try:
+        psearch = bindinstance.named_conf_get_directive('psearch')
+        serial_autoincrement = bindinstance.named_conf_get_directive(
+                                    'serial_autoincrement')
+    except IOError, e:
+        root_logger.debug('Cannot retrieve psearch option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return changed
+    else:
+        psearch = None if psearch is None else psearch.lower()
+        serial_autoincrement = None if serial_autoincrement is None \
+                else serial_autoincrement.lower()
+
+    # enable SOA serial autoincrement
+    if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
+        if psearch != "yes":    # psearch is required
+            root_logger.debug('Persistent search is disabled, '
+                    'serial autoincrement cannot be enabled')
+        else:
+            if serial_autoincrement != 'yes':
+                try:
+                    bindinstance.named_conf_set_directive('serial_autoincrement', 'yes')
+                except IOError, e:
+                    root_logger.error('Cannot enable serial_autoincrement in %s: %s',
+                            bindinstance.NAMED_CONF, e)
+                    return changed
+                else:
+                    root_logger.debug('Serial autoincrement enabled')
+                    changed = True
+            else:
+                root_logger.debug('Serial autoincrement is alredy enabled')
+        sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
+    else:
+        root_logger.debug('Skip serial autoincrement check')
+
+    return changed
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -435,9 +491,11 @@ def main():
 
     cleanup_kdc(fstore)
     upgrade_ipa_profile(krbctx.default_realm)
-    changed = enable_psearch_for_named()
-    if changed:
+    changed_psearch = named_enable_psearch()
+    changed_autoincrement = named_enable_serial_autoincrement()
+    if changed_psearch or changed_autoincrement:
         # configuration has changed, restart the name server
+        root_logger.info('Changes to named.conf have been made, restart named')
         bindinstance.BindInstance(fstore).restart()
 
 if __name__ == '__main__':
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 9fe89ed1e..b0bdca94f 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-dns-install" "1" "Sep 9, 2010" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-dns\-install \- Add DNS as a service to an IPA server
 .SH "SYNOPSIS"
@@ -55,6 +55,9 @@ Do not enable persistent search mechanism for updating the list of DNS zones in
 \fB\-\-zone\-refresh=\fIZONE_REFRESH\fR
 When set to non-zero value, persistent search zone update mechanism will be disabled and the name server will use a polling mechanism to load new DNS zones every \fIZONE_REFRESH\fR seconds.
 .TP
+\fB\-\-no\-serial\-autoincrement\fR
+Do not enable SOA serial autoincrement feature. SOA serial will have to be updated automatically or other DNS features like zone transfer od DNSSEC will not function properly. This feature requires persistent search zone update mechanism.
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .SH "EXIT STATUS"
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 77d406850..61b7c669c 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-server-install" "1" "Sep 5 2011" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-server-install" "1" "Jun 28 2012" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-server\-install \- Configure an IPA server
 .SH "SYNOPSIS"
@@ -156,6 +156,9 @@ Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-no\-serial\-autoincrement\fR
+Do not enable SOA serial autoincrement feature. SOA serial will have to be updated automatically or other DNS features like zone transfer od DNSSEC will not function properly. This feature requires persistent search zone update mechanism.
 
 .SS "UNINSTALL OPTIONS"
 .TP