AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should work with Dynamic update and IXFR well.

Combination of IXFR & manual change to zone text file needs special attention (for dynamic zones): You need to run rndc freeze && "modify zone" && rndc thaw. If you have "ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should work.

This detail should be only "hard part", if I didn't miss something.

Petr^2 Spacek

On 07/16/2012 01:31 AM, david wrote:

One thing to be aware of, you may see some performance hits if the master
for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR
and so any time the slave receives notification, he will ask for an IXFR and
will instead receive an AXFR. If the zones are small, this is not a big
deal, but a busy dynamic zone with a hundred thousand records with just a
couple of slaves (6 in the case I am thinking of), the master server was
brought to his knees just from zone transfers. As you can imagine, this is
also extremely stressful on the slave servers, receiving and processing the
full AXFR every time there is a single record change. If your master for
myzone.tld uses standard bind zone files, then this is not a big deal.


-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Michael Mercier
Sent: Friday, July 13, 2012 8:21 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] BIND named.conf

I will try to be more clear...

My IPA zone is named intranet.local running on ipaserver1 and ipaserver2.
I have another zone (call it "myzone.tld") hosted on some other systems.  I
would like ipaserver1 and ipaserver2 to both be a slave for this zone (not
use a forwarder for the zone).

Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in
named.conf, is there anything that I should be concerned about if I were to

zone "myzone.tld" {
       type slave;
       file "slave/myzone.db"
       masters { u.x.y.z;  w.x.y.z; };
       allow-notify { u.x.y.z;  w.x.y.z; };
       also-notify { ipaserver2 };

to ipaserver1?

I had considered adding the zone via 'ipa dnszone-add
ipaserver1.intranet.local' but I did not find anything specific in the
documentation describing how to configure the new zone as a slave of another
system.  Also, the number of entries in the zone is large and there are a
many updates per day and I was uncertain of the type of performance I could

On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:

On 07/13/2012 07:04 PM, Michael Mercier wrote:

I am by no means an expert either, but I believe what you are
recommending would forward requests for "myzone.tld" to the
ip.of.forwarder1 etc.
I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all
the data) of "myzone.tld", and have ipaserver2 slave this data from

The replicas in IPA do not need to be specially configured to be
slaves of each other. They have the same data which is replicated by
LDAP back end so it is not clear why you are trying to configure the
replicas to be in master-slave relation.


On 13-Jul-12, at 5:11 PM, KodaK wrote:

On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier

When using IPA 2.2.0 with DNS setup (--setup-dns), is there any
issues with adding slaves to the named.conf file?

example on ipaserver1:

zone "myzone.tld" {
       type slave;
       file "slave/myzone.db"
       masters { u.x.y.z;  w.x.y.z; };
       allow-notify { u.x.y.z;  w.x.y.z; };
       also-notify { ipaserver2 };

I'm no expert, but I think you'd want to use the command line option

ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2

Freeipa-users mailing list

Reply via email to