Sorry, I was unclear. The problem is not dynamic in terms of "nsupdate"
versus manually editing zonefiles, but rather backed by a dynamic source,
such as a database, directory, etc. For a DLZ-backed zone, there is no
straightforward way for the server responding to the IXFR request to know
which records are new with certainty, so he just ships out the whole zone.
Last time I saw this was on a BIND9+DLZ+database solution. 


-----Original Message-----
[] On Behalf Of Petr Spacek
Sent: Monday, July 16, 2012 3:04 AM
Subject: Re: [Freeipa-users] BIND named.conf


AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should
work with Dynamic update and IXFR well.

Combination of IXFR & manual change to zone text file needs special
attention (for dynamic zones):
You need to run rndc freeze && "modify zone" && rndc thaw. If you have
"ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should

This detail should be only "hard part", if I didn't miss something.

Petr^2 Spacek

On 07/16/2012 01:31 AM, david wrote:
> One thing to be aware of, you may see some performance hits if the 
> master for that zone is setup for dynamic updates. A dynamic zone 
> cannot send IXFR and so any time the slave receives notification, he 
> will ask for an IXFR and will instead receive an AXFR. If the zones 
> are small, this is not a big deal, but a busy dynamic zone with a 
> hundred thousand records with just a couple of slaves (6 in the case I 
> am thinking of), the master server was brought to his knees just from 
> zone transfers. As you can imagine, this is also extremely stressful 
> on the slave servers, receiving and processing the full AXFR every 
> time there is a single record change. If your master for myzone.tld uses
standard bind zone files, then this is not a big deal.
>   -DTK
> -----Original Message-----
> From: 
> [] On Behalf Of Michael Mercier
> Sent: Friday, July 13, 2012 8:21 PM
> To:
> Subject: Re: [Freeipa-users] BIND named.conf
> I will try to be more clear...
> My IPA zone is named intranet.local running on ipaserver1 and ipaserver2.
> I have another zone (call it "myzone.tld") hosted on some other 
> systems.  I would like ipaserver1 and ipaserver2 to both be a slave 
> for this zone (not use a forwarder for the zone).
> Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in 
> named.conf, is there anything that I should be concerned about if I 
> were to
> add:
> zone "myzone.tld" {
>        type slave;
>        file "slave/myzone.db"
>        masters { u.x.y.z;  w.x.y.z; };
>        allow-notify { u.x.y.z;  w.x.y.z; };
>        also-notify { ipaserver2 };
> };
> to ipaserver1?
> I had considered adding the zone via 'ipa dnszone-add 
> ipaserver1.intranet.local' but I did not find anything specific in the 
> documentation describing how to configure the new zone as a slave of 
> another system.  Also, the number of entries in the zone is large and 
> there are a many updates per day and I was uncertain of the type of 
> performance I could expect.
> Thanks,
> Mike
> On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:
>> On 07/13/2012 07:04 PM, Michael Mercier wrote:
>>> Hello,
>>> I am by no means an expert either, but I believe what you are 
>>> recommending would forward requests for "myzone.tld" to the
>>> ip.of.forwarder1 etc.
>>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all 
>>> the data) of "myzone.tld", and have ipaserver2 slave this data from 
>>> ipaserver1.
>> The replicas in IPA do not need to be specially configured to be 
>> slaves of each other. They have the same data which is replicated by 
>> LDAP back end so it is not clear why you are trying to configure the 
>> replicas to be in master-slave relation.
>>> Thanks,
>>> Mike
>>> On 13-Jul-12, at 5:11 PM, KodaK wrote:
>>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier 
>>>> <>
>>>> wrote:
>>>>> Hello,
>>>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any 
>>>>> issues with adding slaves to the named.conf file?
>>>>> example on ipaserver1:
>>>>> zone "myzone.tld" {
>>>>>        type slave;
>>>>>        file "slave/myzone.db"
>>>>>        masters { u.x.y.z;  w.x.y.z; };
>>>>>        allow-notify { u.x.y.z;  w.x.y.z; };
>>>>>        also-notify { ipaserver2 }; };
>>>> I'm no expert, but I think you'd want to use the command line 
>>>> option
>>>> dnsconfig-mod:
>>>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2
>>>> myzone.tld

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to