On 1/18/20 8:06 PM, Michael Ströder wrote:
On 1/18/20 7:12 PM, Christian Boltz wrote:
Am Freitag, 17. Januar 2020, 22:18:26 CET schrieb Lars Vogdt:
As I wrote: I installed bind because I know it and I see the pressure to have something up and running to become independent. But I
Ok, understood.
I have some preference for launch=ldap to have authc/authz integration to another LDAP server [1] and use native LDAP replication for HA. While I'm more a fan of KISS (means here: having a single, independent service which could run without any outside dependencies - so I would have the data in ldap, but use a local dump), this could of course also be done - and there are people like you, who have a way better knowledge than me on how to do this right. :-) The initial setup should definitively improve over time. And those who do decide.
... and this is why it's unlikely that we'll end up with text/plain zone files ;-) - while I'd prefer them (to keep things simple), I probably won't have time to work on the DNS setup.
Zone files look simple until you look at other requirements:
HA: AXFR is not always super-reliable and needs increasing the serial number. The latter is more hard to do with zone files in an automated way (and is often forgotten during manual editing). => Native database replication works better.
Scripting: E.g. for Let's Encrypt integration you might want to dynamically add and remove DNS RRs without mucking with DNS-Update (RFC 2136). Not to speak of authc/authz deficiencies... => native DB access is better
I can understand that PowerDNS with LDAP backend sounds complex but it isn't. (Now, "Butter bei de Fische...") This is more or less what I'm using for my own internal auth DNS servers for configuring OpenLDAP as DNS-backend and have password-based authc and the authz done via back-ldap to Æ-DIR (or any other LDAP server): https://gitlab.com/ae-dir/client-examples/blob/master/slapd-ldap/slapd.conf The multi-master replication config part will take two more config statements. But that's it. Lines added to default config of PowerDNS authorative server (file /etc/pdns/pdns.conf) for launching the LDAP backend: ldap-host=ldapi:// ldap-starttls=no ldap-basedn=cn=pdns,dc=example,dc=com ldap-binddn=cn=pdns,dc=example,dc=com ldap-secret=supersecretsyspassword ldap-method=simple That's it for the config. For each hosted domain you have add a SOA RR entry like this: dn: associatedDomain=vnet1.local,ou=pdns,ou=infra,dc=stroeder,dc=de associatedDomain: vnet1.local dc: vnet1 hasSubordinates: TRUE nSRecord: nb2.stroeder.local objectClass: dNSDomain2 objectClass: domainRelatedObject rPRecord: hostmaster.stroeder.com. updatensa.system. sOARecord: nb2.stroeder.local. hostmaster.stroeder.com. 2 10800 3600 604800 86400 An A RR looks like this: dn: dc=samba1,associatedDomain=vnet1.local,ou=pdns,ou=infra,dc=stroeder,dc=d e aRecord: 10.54.1.93 associatedDomain: samba1.vnet1.local dc: samba1 description: Samba CentOS7 test system objectClass: dNSDomain2 objectClass: domainRelatedObject The accompanying PTR RR looks like this: dn: dc=93,associatedDomain=1.54.10.in-addr.arpa,ou=pdns,ou=infra,dc=stroeder ,dc=de associatedDomain: 93.1.54.10.in-addr.arpa dc: 93 description: Samba CentOS7 test system objectClass: dNSDomain objectClass: dNSDomain2 objectClass: domainRelatedObject pTRRecord: samba1.vnet1.local My web2ldap already contains plugin classes to make maintaining the stuff a bit more easy. The only caveat with using LDAP backend is that DNSSEC is probably not directly supported yet (in opposite to the various SQL backends). Feedback welcome. Ciao, Michael. P.S.: I'm also using LDAP server as backend for ISC dhcpd. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org