I wrote a tool to utilize the REST API to do ACME DNS-01 challenges. While doing this I recognized a strange behavior, that is reproducible.

After creating or removing DNS records I'm doing an AXFR Request to transfer the Zone to another DNS Server. This is triggerd by a univention-directory-listener. I recognized, that the data in the AXFR Response is not correct. The SOA serial number is already increased, but the content has not changed. If I'm doing the AXFR Request a few seconds later again, the content changed, but the serial number is still the same. 

This should never happen, as the SOA serial number should be a responsible source for changes.

The bug can lead to inconsistent DNS records between multiple DNS Servers while they are thinking their data is consistent, what can be critical. 

The DNS Backend is Samba.

Does anyone with more knowledge about the topic have a clue, where the Problem could come from? Is first the SOA serial number increased and later the zone content changed? Then i think it should be the other way round. Is this done by univention or by samba?

I will try to provide a minimal working example for this bug as soon as possible, but maybe this is not necessary at all.