On 07/04/2012 04:03 AM, Josh Becigneul wrote:
Hi All,

I'd like to get some opinions on using the DNS component of freeIPA to manage
dns zones not necessarily associated with the freeIPA realm.

My thinking is to use it as a hidden master to a pre-existing group of
authoritative systems, so one thing I'm curious about is is there a
theoretical (or real) limit on the number of zones it can handle? Is there a
limit to the number of records in a zone?
There are no built-in limits. Records are internally stored in Red-Black tree (in similar way as BIND does it) so memory should be only limiting factor.

> I would think that this may depend
on the performance of the 389 directory service.
It depends. Bind-dyndb-ldap plugin (BIND<->LDAP interface) can work in two modes - normal and persistent search.

In "normal mode" (i.e. with persistent search disabled) each record is loaded from DS on demand - if some client asks for it. In this case DS performance can be limiting factor. (Plugin has built-in cache, cache TTL can be tweaked by cache_ttl parameter in /etc/named.conf.)

In "persistent search mode" whole database from DS is transferred to bind-dyndb-ldap cache and all searches are done inside local memory. It consumes some memory, but this approach saves DS work. Each change in DS is incrementally transferred to bind-dyndb-ldap, so all changes should be visible immediately.

Current code doesn't contain a lot of performance optimizations, but nobody reported performance problems.


Is it possible to import existing zones? Would this be possible with zone
transfers or would we have to convert the zone files to an LDIF?
You need to convert existing zones to LDIF. We don't have tool for this task, please see ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/76.

It should be relatively simple write this tool (see comments in the ticket). If you are going to write it, please consider contribution back to upstream.


Current plugin doesn't have full power of BIND. DNS views are not supported and settings specific to zones are limited. AXFR Zone transfers are supported, SOA serial number auto-incrementation feature will be in 3.0 release (it is not present in 3.0 beta 1).

Petr^2 Spacek

Josh Becigneul

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to