[Freeipa-devel] FreeIPAv2 with dns zones stored in ldap

Wed May 28 13:13:19 UTC 2008

On Tue, May 27, 2008 at 7:45 PM, Jeff Schroeder <jeffschroed at gmail.com> wrote:
> On Tue, May 27, 2008 at 1:20 PM, Simo Sorce <ssorce at redhat.com> wrote:
>> On Tue, 2008-05-27 at 10:31 -0700, Jeff Schroeder wrote:
>>> The FreeIPA V2BPRD document[1] mentions storing dns information in
>>> ldap. How do you plan on accomplishing this?
>>> Will redhat be adding in the bind patch[2] to enable storing zone
>>> files in ldap or use an alternative server like powerdns?
>>> Which schema will you be using for this? I'm interested in setting up
>>> a copy of (RH|F)DS and whatever is needed to start
>>> working on and testing this. The upstreams for all projects that store
>>> dns zones in ldap other than powerdns seem awful
>>> quiet.
>>>
>>> Any pointers or ideas would be much appreciated.
>>>
>>>
>>> [1] http://freeipa.org/page/V2BPRD#1._Machine_Identity_and_Authentication
>>>  [1.1.1] Store DNS information in LDAP
>>> [2] http://bind9-ldap.bayour.com/
>>
>>
>> Jeff we are not yet completely sold to any schema or server, I have been
>> working and testing with bind some, so far I am not completely satisfied
>> with any solution.
>>
>> Aside from caching problems (apparently bind does not cache stuff if the
>> backend uses sdb, there is also a DNS Update problem in that bind does
>> not allow you to update info into an sdb backend at this point.
>>
>> Access Control when using GSS-TSIG is also extremely limited with bind
>> at this point.
>>
>> I am lookig for a solution that present the least resistance path for
>> getting in what we need.
>
> Ok so I've got an idea that might or might not work. It seems like the
> path of least resistance.
>
> Re-implement ldap2dns in python. Use python-ldap to read the zones
> from ldap and python bindings
> for libaugeas to write the zones out.
>
> The implementation would run something like this:
> - A script, cronjob, or daemon in freeipa runs every XXX amount of
> time and checks the serial
>  number of every zone on disk to the zone in ldap.
> - If the zone in ldap is newer ldap2dns dumps the new zone to disk
> - A backup of the old zone is made, the new zone is moved into place,
> and rndc reload $zone is ran
>
> The cleanest solution is native ldap support in bind. The problem is
> that the patch is not in upstream
> bind and hasn't been updated in some time. Unless redhat or someone
> dusts that patch off and tries to
> get it upstream it is a deadend. Short of that happening, my solution
> seems like the path of least resistance.
>
> Here is a diagram of the LDAP setup I'd like to use:
> http://www.digitalprognosis.com/pics/fds-multimaster.png
>
> You could have ldap + dns on the same server. Since ldap is the
> canonical source for zone information,
> every bind instance could be master and AXFR could be disabled. A lot
> of these ideas come from
> Nathaniel Mccallum, a buddy of mine. I'm willing to work with you the
> code as best as possible. This
> seems related to one of the goals of FreeIPA so we might be able to
> work together.
>
> --
> Jeff Schroeder
>
> Don't drink and derive, alcohol and analysis don't mix.
> http://www.digitalprognosis.com
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
Mandriva Directory Server (http://mds.mandriva.org/wiki/Download) is
using ISC DHCP and BIND and they already have some python code for
managing DNS and DHCP.  It looks like they configure Bind to point to
their LDAP for their records.   Not sure if this is doable with
Fedora's Bind builds.  But it could be a decent starting point.

--Joe