openldap, dlz and dynamic dns updates from isc-dhcpd
Hello List, I would like to use openldap to store DHCP config and DNS zones. I've scoured the web for howtos and I've learned a lot. For openldap backed DNS it seems that DLZ is the best option (faster, and the data is better organised in ldap). My main question is about dynamic updates from the DHCP server. I would like to know if bind 9.9 can update an openldap DLZ with dynamic updates from a DHCP server. I've read about Andrew Tridgell's work on getting BIND to update DLZs (http://jpmens.net/2011/01/21/bind-gets-a-new-updateable-dlz-driver-dlopen/). Can encryption be used to dynamically update BIND's DLZs, just as it can if zone files are used? Thanks, Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openldap, dlz and dynamic dns updates from isc-dhcpd
> My main question is about dynamic updates from the DHCP server. I > would like to know if bind 9.9 can update > an openldap DLZ with dynamic updates from a DHCP server. Given an openldap DLZ driver that can accept dynamic updates, yes. I'm not aware of such a DLZ driver existing yet, but there's no technical reason why it couldn't be written. > I've read about Andrew Tridgell's work on getting BIND to update DLZs > (http://jpmens.net/2011/01/21/bind-gets-a-new-updateable-dlz-driver-dlopen/). > > Can encryption be used to dynamically update BIND's DLZs, just as it > can if zone files are used? I'm not sure what you mean by "using encryption". -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openldap, dlz and dynamic dns updates from isc-dhcpd
Hi Evan,
Thanks for your reply. I must confess that I am working on my first
DHCP and BIND deployment and I'm sure that I don't yet understand
everything. So it's likely that I'm working with some wrong
assumptions.
On 25 September 2012 04:01, Evan Hunt wrote:
> I'm not aware of such a DLZ driver existing yet, but there's no
> technical reason why it couldn't be written.
Thanks. That's useful to know,
Here's a possibly wrong assumption: there are BIND deployments that
use openldap (or an RDBMS, or something else) rather than zone files
to hold DNS mappings (name to ip address & vice versa), and these
alternative backends are updated when the DHCP server hands out or
revokes a lease.
Is this so? If so, how is the DNS information updated?
>> Can encryption be used to dynamically update BIND's DLZs, just as it
>> can if zone files are used?
>
> I'm not sure what you mean by "using encryption".
:-) I'm not sure either. In DHCP config, within a zone { ... }
block, there are key directives. It seems that BIND & DHCP
can use a key to be sure of each other and the validity of DNS updates
coming from the DHCP server. Am I on the right track? When I wrote
'encryption' this is what I was referring to.
Thanks,
Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: openldap, dlz and dynamic dns updates from isc-dhcpd
> Here's a possibly wrong assumption: there are BIND deployments that
> use openldap (or an RDBMS, or something else) rather than zone files
> to hold DNS mappings (name to ip address & vice versa), and these
> alternative backends are updated when the DHCP server hands out or
> revokes a lease.
> Is this so? If so, how is the DNS information updated?
There are two sorts of DLZ driver out there -- the older ones that don't
support dynamic update and have to be statically linked into the "named"
binary to work, and then newer ones like Andrew Tridgell's, which are
run-time loadable and can (if desired) be written to accept updates via
dynaamic DNS.
There *is* an LDAP DLZ driver, but it's an old-style driver so it
can't accept DDNS updates. You could probably write some kind of DHCP hook
that updated the LDAP data directly, *not* using dynamic DNS, but I don't
think that's what you were asking about. To use LDAP *and* accept DDNS
updates, you'd need a new-style DLZ driver that supported LDAP, which is
certainly possible, but I don't know whether anyone's done it yet. (I'm
guessing not, though; I think I would've heard.)
> > I'm not sure what you mean by "using encryption".
>
> :-) I'm not sure either. In DHCP config, within a zone { ... }
> block, there are key directives. It seems that BIND & DHCP
> can use a key to be sure of each other and the validity of DNS updates
> coming from the DHCP server. Am I on the right track? When I wrote
> 'encryption' this is what I was referring to.
Okay, you're talking about authentication using TSIG keys -- I thought
so, but wasn't quite sure. :)
There shouldn't be any conflict between that and DLZ.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
