[Freeipa-devel] [PATCH] 111 Let Bind track data changes

Wed Aug 24 19:17:18 UTC 2011

On Fri, 2011-08-19 at 12:49 +0200, Martin Kosek wrote:
...
> 2) Make sure that current DNS behavior is well documented, and users are
> aware of that when they change/add a record, it may be seen after
> $cache_ttl seconds or when they reload the cache using `rndc reload`.
> 
> 3) Tickets 1114, 1125 and 1126 would be closed as documentation fix.

I created a documentation ticket for Deon:

https://fedorahosted.org/freeipa/ticket/1709

Proposed change to DNS documentation is attached to this mail and the
ticket 1709. It is dependent on my patch 111 CLI but it shouldn't change
greatly.

Martin
-------------- next part --------------
10.1. About DNS in FreeIPA
...

[DELETE] FreeIPA communicates with both the BIND services and the LDAP directory using the bind-dyndb-ldap plug-in.

[ADD_START] 10.1.1 DNS and Directory Server

BIND service communicates with Directory Server using the bind-dyndb-ldap plug-in. When FreeIPA is configured with --setup-dns or ipa-dns-install command (see chapter 10.2) a section "dynamic-db" configuring the plug-in is created in /etc/named.conf. Properly configured plug-in is then able to provide the name server with DNS records from Directory Server. The configuration in the dynamic-db section of /etc/named.conf can be later changed to tune the plug-in behavior.

10.1.2 DNS cache
bind-dyndb-ldap contains a DNS record cache for zones and successful DNS resolutions in order to increase Directory Server performance. Without the cache the name server would have to run an LDAP query for every DNS resolution. Default validity of DNS record in the cache is set to 120 seconds, i.e. a change to existing DNS record may not be resolvable instantly but maximally in 120 seconds. If the DNS record change should be propagated immediately, name server should be reloaded using the following command:

# rndc reload

The default value of the cache validity may be changed in /etc/named.conf. If the Directory Server is under heavy load and/or records are not updated very often, the cache validity can be set to a higher value using cache_ttl argument of bind-dyndb-ldap. The following example shows how to change default cache validity in /etc/named.conf:

dynamic-db "ipa" {
...
    arg "cache_ttl 60";
};

When the name service is restarted, DNS record cache validity would be set to 60 seconds.

10.1.3 New zones

By default, the bind-dyndb-ldap plugin resolves only these zones, that were configured in the Directory Server in the time when the name server started and were enabled. In order to enable DNS resolution for a new zone or a disabled one, there exist 3 ways:

  1) Reload name service when a new zone is added using the following command

    # rndc reload

2) Let bind-dyndb-ldap periodically poll for new zones defined in FreeIPA controlled Directory server. This is the default option when FreeIPA is being configured with DNS. By default this is set to 60 seconds, i.e. every 60 seconds bind-dyndb-ldap makes an LDAP query for new zones and if those are detected, the zones (and DNS records in them) are loaded and made resolvable. The default value can be changed during ipa-server-install or ipa-dns-install with option --zone-refresh. To change the value for existing FreeIPA installation, the bind-dyndb-ldap argument zone_refresh (set to number of seconds between polls) can be defined in /etc/named.conf:

dynamic-db "ipa" {
...
        arg "zone_refresh 30";
};

  In above example, bind-dyndb-ldap zone refresh has been set to 30 seconds.

3) Let bind-dyndb-ldap use LDAP persistent search mechanism to immediately get notification when a new DNS zone is added. By default, this feature is disabled and can be enabled with --zone-notif install option. To enable this feature for existing FreeIPA installation, the bind-dyndb-ldap argument psearch (set to "yes" or "no") can be defined in /etc/named.conf:

dynamic-db "ipa" {
...
        arg "psearch yes";
};

  In above example, persistent search feature will be enabled.
[ADD_END]

...

10.5. Adding DNS Zones
...
To add a zone entry:
1. Add the new zone. For example:
   $ ipa dnszone-add newserver.example.com --admin-email=admin at example.com --minimum=3000 --allow-dynupdate
2. [REPLACE_STEP2_START]According to chosen new zone detection mechanism described in 10.1.3 either reload the name server, wait for next bind-dyndb-ldap new zone poll or have it immediately resolvable with persistent search option.[REPLACE_STEP2_END]