One thing to be aware of, you may see some performance hits if the master
for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR
and so any time the slave receives notification, he will ask for an IXFR and
will instead receive an AXFR. If the zones are small, this is not a big
deal, but a busy dynamic zone with a hundred thousand records with just a
couple of slaves (6 in the case I am thinking of), the master server was
brought to his knees just from zone transfers. As you can imagine, this is
also extremely stressful on the slave servers, receiving and processing the
full AXFR every time there is a single record change. If your master for
myzone.tld uses standard bind zone files, then this is not a big deal. 


-----Original Message-----
[] On Behalf Of Michael Mercier
Sent: Friday, July 13, 2012 8:21 PM
Subject: Re: [Freeipa-users] BIND named.conf

I will try to be more clear...

My IPA zone is named intranet.local running on ipaserver1 and ipaserver2.
I have another zone (call it "myzone.tld") hosted on some other systems.  I
would like ipaserver1 and ipaserver2 to both be a slave for this zone (not
use a forwarder for the zone).

Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in
named.conf, is there anything that I should be concerned about if I were to

zone "myzone.tld" {
      type slave;
      file "slave/myzone.db"
      masters { u.x.y.z;  w.x.y.z; };
      allow-notify { u.x.y.z;  w.x.y.z; };
      also-notify { ipaserver2 };

to ipaserver1?

I had considered adding the zone via 'ipa dnszone-add
ipaserver1.intranet.local' but I did not find anything specific in the
documentation describing how to configure the new zone as a slave of another
system.  Also, the number of entries in the zone is large and there are a
many updates per day and I was uncertain of the type of performance I could

On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:

> On 07/13/2012 07:04 PM, Michael Mercier wrote:
>> Hello,
>> I am by no means an expert either, but I believe what you are 
>> recommending would forward requests for "myzone.tld" to the
>> ip.of.forwarder1 etc.
>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all 
>> the data) of "myzone.tld", and have ipaserver2 slave this data from 
>> ipaserver1.
> The replicas in IPA do not need to be specially configured to be 
> slaves of each other. They have the same data which is replicated by 
> LDAP back end so it is not clear why you are trying to configure the 
> replicas to be in master-slave relation.
>> Thanks,
>> Mike
>> On 13-Jul-12, at 5:11 PM, KodaK wrote:
>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier 
>>> <>
>>> wrote:
>>>> Hello,
>>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any 
>>>> issues with adding slaves to the named.conf file?
>>>> example on ipaserver1:
>>>> zone "myzone.tld" {
>>>>       type slave;
>>>>       file "slave/myzone.db"
>>>>       masters { u.x.y.z;  w.x.y.z; };
>>>>       allow-notify { u.x.y.z;  w.x.y.z; };
>>>>       also-notify { ipaserver2 };
>>>> };
>>> I'm no expert, but I think you'd want to use the command line option
>>> dnsconfig-mod:
>>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2
>>> myzone.tld
>>> --
>>> The government is going to read our mail anyway, might as well make 
>>> it tough for them.  GPG Public key ID:  B6A1A7C6
>> _______________________________________________
>> Freeipa-users mailing list
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
> -------------------------------
> Looking to carve out IT costs?
> _______________________________________________
> Freeipa-users mailing list

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to