[Freeipa-devel] [PATCH 0206] Publish zones only after all LDAP events have been processed

Petr Spacek pspacek at redhat.com
Tue Nov 12 15:08:20 UTC 2013 

Hello,

Publish zones only after all LDAP events have been processed.

Zones are not exposed in _default DNS view until all events
generated before LDAP intermediate message have been processed.

This prevents BIND from returning NXDOMAIN for some names from
a zone but NOERROR answers for other names in the same zone.
It would be pretty confusing and not easy to debug.


I use 100 zones each with 100 records for testing + I'm artificially slowing 
the link down to get more time for testing. Dig for any record from any zone 
in LDAP should return NXDOMAIN until all records and zones are loaded.

My magic recipe is attached. iptables rules mark the traffic which should be 
slowed down (all the traffic except SSH and the communication with IP gateway) 
and tc.sh script configures traffic controls in Linux kernel to slow it down.

-- 
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-dyndb-ldap-pspacek-0206-Publish-zones-only-after-all-LDAP-events-have-been-p.patch
Type: text/x-patch
Size: 5975 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131112/36aaf1a4/attachment.bin>
-------------- next part --------------
# Generated by iptables-save v1.4.19.1 on Mon Nov 11 16:42:54 2013
*mangle
:PREROUTING ACCEPT [27244:1530324]
:INPUT ACCEPT [26518:1452710]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9916:468159437]
:POSTROUTING ACCEPT [6945:412550827]
# do not limit SSH
-A POSTROUTING -p tcp -m tcp --sport 22 -j ACCEPT
# do not limit gateway, DNS etc.
-A POSTROUTING -s 10.0.0.0/30 -j ACCEPT
-A POSTROUTING -d 10.0.0.0/30 -j ACCEPT
-A POSTROUTING -j MARK --set-xmark 0xb/0xffffffff
COMMIT
# Completed on Mon Nov 11 16:42:54 2013
# Generated by iptables-save v1.4.19.1 on Mon Nov 11 16:42:54 2013
*filter
:INPUT ACCEPT [27172:1503998]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10331:468208656]
COMMIT
# Completed on Mon Nov 11 16:42:54 2013
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tc.sh
Type: application/x-shellscript
Size: 844 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131112/36aaf1a4/attachment-0001.bin>

More information about the Freeipa-devel mailing list