[Freeipa-users] BIND named.conf

Mon Jul 16 08:03:54 UTC 2012

Hello,

AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should work 
with Dynamic update and IXFR well.

Combination of IXFR & manual change to zone text file needs special attention 
(for dynamic zones):
You need to run rndc freeze && "modify zone" && rndc thaw. If you have 
"ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should work.

This detail should be only "hard part", if I didn't miss something.

Petr^2 Spacek

On 07/16/2012 01:31 AM, david wrote:
>
> One thing to be aware of, you may see some performance hits if the master
> for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR
> and so any time the slave receives notification, he will ask for an IXFR and
> will instead receive an AXFR. If the zones are small, this is not a big
> deal, but a busy dynamic zone with a hundred thousand records with just a
> couple of slaves (6 in the case I am thinking of), the master server was
> brought to his knees just from zone transfers. As you can imagine, this is
> also extremely stressful on the slave servers, receiving and processing the
> full AXFR every time there is a single record change. If your master for
> myzone.tld uses standard bind zone files, then this is not a big deal.
>
>
>   -DTK
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Michael Mercier
> Sent: Friday, July 13, 2012 8:21 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] BIND named.conf
>
> I will try to be more clear...
>
> My IPA zone is named intranet.local running on ipaserver1 and ipaserver2.
> I have another zone (call it "myzone.tld") hosted on some other systems.  I
> would like ipaserver1 and ipaserver2 to both be a slave for this zone (not
> use a forwarder for the zone).
>
> Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in
> named.conf, is there anything that I should be concerned about if I were to
> add:
>
> zone "myzone.tld" {
>        type slave;
>        file "slave/myzone.db"
>        masters { u.x.y.z;  w.x.y.z; };
>        allow-notify { u.x.y.z;  w.x.y.z; };
>        also-notify { ipaserver2 };
> };
>
> to ipaserver1?
>
> I had considered adding the zone via 'ipa dnszone-add
> ipaserver1.intranet.local' but I did not find anything specific in the
> documentation describing how to configure the new zone as a slave of another
> system.  Also, the number of entries in the zone is large and there are a
> many updates per day and I was uncertain of the type of performance I could
> expect.
>
> Thanks,
> Mike
> On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:
>
>> On 07/13/2012 07:04 PM, Michael Mercier wrote:
>>> Hello,
>>>
>>> I am by no means an expert either, but I believe what you are
>>> recommending would forward requests for "myzone.tld" to the
>>> ip.of.forwarder1 etc.
>>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all
>>> the data) of "myzone.tld", and have ipaserver2 slave this data from
>>> ipaserver1.
>>>
>>
>> The replicas in IPA do not need to be specially configured to be
>> slaves of each other. They have the same data which is replicated by
>> LDAP back end so it is not clear why you are trying to configure the
>> replicas to be in master-slave relation.
>>
>>
>>> Thanks,
>>> Mike
>>>
>>> On 13-Jul-12, at 5:11 PM, KodaK wrote:
>>>
>>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier
>>>> <mmercier at gmail.com>
>>>> wrote:
>>>>> Hello,
>>>>>
>>>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any
>>>>> issues with adding slaves to the named.conf file?
>>>>>
>>>>> example on ipaserver1:
>>>>>
>>>>> zone "myzone.tld" {
>>>>>        type slave;
>>>>>        file "slave/myzone.db"
>>>>>        masters { u.x.y.z;  w.x.y.z; };
>>>>>        allow-notify { u.x.y.z;  w.x.y.z; };
>>>>>        also-notify { ipaserver2 };
>>>>> };
>>>>
>>>>
>>>> I'm no expert, but I think you'd want to use the command line option
>>>> dnsconfig-mod:
>>>>
>>>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2
>>>> myzone.tld