[Freeipa-users] No $ORIGIN directive in bind-dyndb-ldap

Brendan Kearney bpk678 at gmail.com
Wed Oct 23 21:08:35 UTC 2013 

> Do you plan to use FreeIPA command line interface or not?
> 
> With FreeIPA, you can create equivalent records with this set of commands:
> $ ipa dnszone-add bpk2.com
> $ ipa dnsrecord-add bpk2.com _kerberos --txt-rec=...
> etc.
> 
> Those commands allow you to create almost equivalent data in LDAP. This 
> doesn't work for you?
> 
> Please note that dnsrecord-add command contains zone name (as the first 
> argument), so the FQDN can be constructed from the first and second argument.

i am using bind-dyndb-ldap without FreeIPA, or 389.  It is on Fedora,
with  OpenLDAP and a bunch of steps to get it working.  i am using
phpLdapAdmin to administrate the ldap instance and have created the
needed configs in ldap, using the existing sample ldif as a guide.

> 
> DNS zone is represented by LDAP object which contains all other named in the zone:
> idnsname=bkp2.com,cn=dns,dc=ipa,dc=test
> 
> Each name inside particular zone is represented by own LDAP object:
> idnsname=_kerberos, idnsname=bkp2.com,cn=dns,dc=ipa,dc=test
> 
> As a result, FQDN can be constructed for each relative name in the zone simply 
> by concatenating second and first idnsname components.
> 
> Is it now clearer why bind-dyndb-ldap don't have equivalent of $ORIGIN?

no.  you say that the FQDN can be constructed by stinging together 2 of
the values in the DN, but neither bind, nor the bind-dyndb-ldap
"plug-in" are doing that.

> > attached is my forward zone (frozen before copying data, so that the jnl
> > entries were written out).
> >
> > the desired outcome is to have zones configured so that unqualified
> > queries are looked up locally and return properly, if appropriate,
> > before being forwarded to any forwarders or via the hints to the roots
> > or whatever is configured to be done with a record that does not have a
> > locally authoritative entry.
> 
> AFAIK 'unqualified' names are purely client-side thing. I belive that all 
> names have to be expanded to FQDN *before* the query is sent to any DNS 
> server. (See search directive in /etc/resolv.conf.)
> 

and there are no conceivable scenarios where an unqualified query could
ever get to the bind server?  regardless of opinions on how
frequent/infrequent it could happen, the fact is that this is an
entirely legitimate scenario that improperly fails with an error.

> > while zytrax does have good articles, the reference i provided is
> > directly out of the bind admin guide, and likely a more authoritative
> > voice on the subject.
> 
> I agree. Please note that both sources say the same information, just in other 
> words.
> 
> > i have validated that when no $ORIGIN directive is set, a query using
> > the short name will fail when looked up locally, and will either be
> > forwarded or recursively searched for.  the examples i provided go
> > against bind+bind-dyndb-ldap, and the short name query fails.  doing the
> > same lookups against my straight bind instance, using the attached zone
> > file, gives authoritative responses for both short and FQDN queries.
> 
> I belive that your zone file will be perfectly functional if you remove origin 
> completely. You will have to replace name for SOA record.

it does not matter what will or will not work with my zones.  what i am
trying to account for is lookups failing against bind when using the
bind-dyndb-ldap backend and a short name is specified.  since the
$ORIGIN directive is written into RFC, why is it electively being
dropped, resulting in a broken implementation because of the lack of
compliance?

> $ diff -u bpk2.com.db.orig bpk2.com.db.noorigin
> --- bpk2.com.db.orig	2013-10-23 09:09:47.568113243 +0200
> +++ bpk2.com.db.noorigin	2013-10-23 09:10:09.347112464 +0200
> @@ -1,6 +1,5 @@
> -$ORIGIN .
>   $TTL 3600	; 1 hour
> -bpk2.com		IN SOA	server.bpk2.com. root.server.bpk2.com. (
> +@			IN SOA	server.bpk2.com. root.server.bpk2.com. (
>   				21684      ; serial
>   				10800      ; refresh (3 hours)
>   				3600       ; retry (1 hour)
> @@ -9,7 +8,6 @@
>   				)
>   			NS	vpn.bpk2.com.
>   			NS	server.bpk2.com.
> -$ORIGIN bpk2.com.
>   $TTL 600	; 10 minutes
>   _kerberos		TXT	"BPK2.COM"
>   $TTL 5	; 5 seconds
> 
> 
> I assume that your zone definition in named.conf looks like:
>          zone "bpk2.com." IN {
>                  type master;
>                  file "bpk2.com.db";
>          };
> 
> As a result, default origin "bpk2.com." is appended to all names in zone file 
> - and that is it.
> 
> Do not forget to bump serial and check server logs if the new zone file was 
> loaded correctly ...
> 
> Have a nice day!
>

More information about the Freeipa-users mailing list