[Freeipa-users] DNS search timeouts and incomplete results

Martin Basti mbasti at redhat.com
Tue Dec 13 17:03:08 UTC 2016 

Receiving huge list of entries is not a cheap operation, that's why 
there is a default max limit set to 100/2000 entries. You have to count 
with that. Maybe direct AXFR from DNS may be more suitable for you, to 
get the complete list of DNS records per zone. But if you are fine with 
speed, memory and CPU consumption on server side, there is no issue why 
dnsrecord-find shouldn't be used.

Martin


On 13.12.2016 17:47, Mike Driscoll wrote:
> Thanks Martin.  That is the cause...
>
> $ ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep nsslapd-sizelimit
> Enter LDAP Password:
> nsslapd-sizelimit: 2000
>
> This command results in a similar problem that only 100 of 270 record names were returned.
> $  ipa dnsrecord-find mydomain.com qa
>
> If I specify these limits, I get all 270 records as expected.
> $  ipa dnsrecord-find mydomain.com qa --sizelimit=10000 --timelimit=20
>
> I have the impression this default size limit meets most needs.  Is my approach wrong when wanting to dump the entire DNS list of records via ipa dnsrecord-find?
>
> Mike
>
>
>> On Dec 13, 2016, at 08:17, Martin Basti <mbasti at redhat.com> wrote:
>>
>> Tomas already replied to you, copying here as archives are currently offline to prevent spam
>>
>> """
>>
>> Hi,
>>
>> you seem to be hitting the size limit on LDAP side. To verify, check
>>
>> ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep nsslapd-sizelimit
>>
>> If you really need to increase this size limit, you will have to modify the nsslapd-sizelimit in cn=config.
>>
>> """
>>
>> Martin
>>
>>
>> On 13.12.2016 17:06, Mike Driscoll wrote:
>>> Any thoughts about this sizelimit bug?
>>>
>>> Mike
>>>
>>>
>>>
>>>> On Nov 28, 2016, at 14:44, Mike Driscoll <mike.driscoll at oracle.com> wrote:
>>>>
>>>> I'm running:
>>>> # rpm -qa | grep ipa-server
>>>> ipa-server-4.4.0-12.0.1.el7.x86_64
>>>> ipa-server-dns-4.4.0-12.0.1.el7.noarch
>>>> ipa-server-common-4.4.0-12.0.1.el7.noarch
>>>>
>>>> Searching DNS for all hostnames containing "qa" times out in the GUI.  Setting aside the option to change server defaults, this cli command isn't giving me the content I need:
>>>>
>>>> # ipa dnsrecord-find mydomain.com --sizelimit=10000 --timelimit=20 | grep qa
>>>> ipa: WARNING: Search result has been truncated: Configured size limit exceeded
>>>>
>>>> It seems like the sizelimit parameter greater than two thousand is being ignored:
>>>>
>>>> # ipa dnsrecord-find mydomain.com --sizelimit=1900 --timelimit=20
>>>> ...
>>>> -------------------------------
>>>> Number of entries returned 1900
>>>> -------------------------------
>>>>
>>>> # ipa dnsrecord-find mydomain.com --sizelimit=2100 --timelimit=20
>>>> ...
>>>> -------------------------------
>>>> Number of entries returned 2000
>>>> -------------------------------
>>>>
>>>> Any suggestions?
>>>>
>>>> Mike

More information about the Freeipa-users mailing list