Receiving huge list of entries is not a cheap operation, that's why there is a default max limit set to 100/2000 entries. You have to count with that. Maybe direct AXFR from DNS may be more suitable for you, to get the complete list of DNS records per zone. But if you are fine with speed, memory and CPU consumption on server side, there is no issue why dnsrecord-find shouldn't be used.


On 13.12.2016 17:47, Mike Driscoll wrote:
Thanks Martin.  That is the cause...

$ ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep 
Enter LDAP Password:
nsslapd-sizelimit: 2000

This command results in a similar problem that only 100 of 270 record names 
were returned.
$  ipa dnsrecord-find qa

If I specify these limits, I get all 270 records as expected.
$  ipa dnsrecord-find qa --sizelimit=10000 --timelimit=20

I have the impression this default size limit meets most needs.  Is my approach 
wrong when wanting to dump the entire DNS list of records via ipa 


On Dec 13, 2016, at 08:17, Martin Basti <> wrote:

Tomas already replied to you, copying here as archives are currently offline to 
prevent spam



you seem to be hitting the size limit on LDAP side. To verify, check

ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep 

If you really need to increase this size limit, you will have to modify the 
nsslapd-sizelimit in cn=config.



On 13.12.2016 17:06, Mike Driscoll wrote:
Any thoughts about this sizelimit bug?


On Nov 28, 2016, at 14:44, Mike Driscoll <> wrote:

I'm running:
# rpm -qa | grep ipa-server

Searching DNS for all hostnames containing "qa" times out in the GUI.  Setting 
aside the option to change server defaults, this cli command isn't giving me the content 
I need:

# ipa dnsrecord-find --sizelimit=10000 --timelimit=20 | grep qa
ipa: WARNING: Search result has been truncated: Configured size limit exceeded

It seems like the sizelimit parameter greater than two thousand is being 

# ipa dnsrecord-find --sizelimit=1900 --timelimit=20
Number of entries returned 1900

# ipa dnsrecord-find --sizelimit=2100 --timelimit=20
Number of entries returned 2000

Any suggestions?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to