[Freeipa-users] FreeIPA DNS manager

Petr Spacek pspacek at redhat.com
Wed Jul 4 08:32:08 UTC 2012 

On 07/04/2012 04:03 AM, Josh Becigneul wrote:
> Hi All,
>
> I'd like to get some opinions on using the DNS component of freeIPA to manage
> dns zones not necessarily associated with the freeIPA realm.
>
> My thinking is to use it as a hidden master to a pre-existing group of
> authoritative systems, so one thing I'm curious about is is there a
> theoretical (or real) limit on the number of zones it can handle? Is there a
> limit to the number of records in a zone?
There are no built-in limits. Records are internally stored in Red-Black tree 
(in similar way as BIND does it) so memory should be only limiting factor.

 > I would think that this may depend
> on the performance of the 389 directory service.
It depends. Bind-dyndb-ldap plugin (BIND<->LDAP interface) can work in two 
modes - normal and persistent search.

In "normal mode" (i.e. with persistent search disabled) each record is loaded 
from DS on demand - if some client asks for it. In this case DS performance 
can be limiting factor. (Plugin has built-in cache, cache TTL can be tweaked 
by cache_ttl parameter in /etc/named.conf.)

In "persistent search mode" whole database from DS is transferred to 
bind-dyndb-ldap cache and all searches are done inside local memory. It 
consumes some memory, but this approach saves DS work.
Each change in DS is incrementally transferred to bind-dyndb-ldap, so all 
changes should be visible immediately.

Current code doesn't contain a lot of performance optimizations, but nobody 
reported performance problems.


> Is it possible to import existing zones? Would this be possible with zone
> transfers or would we have to convert the zone files to an LDIF?
You need to convert existing zones to LDIF. We don't have tool for this task, 
please see ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/76.

It should be relatively simple write this tool (see comments in the ticket). 
If you are going to write it, please consider contribution back to upstream.


Current plugin doesn't have full power of BIND. DNS views are not supported 
and settings specific to zones are limited.
AXFR Zone transfers are supported, SOA serial number auto-incrementation 
feature will be in 3.0 release (it is not present in 3.0 beta 1).

Petr^2 Spacek

> Josh Becigneul

More information about the Freeipa-users mailing list