[Date Prev][Date Next] [Chronological] [Thread] [Top]

Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status



Hi,

We've been using for several months PowerDNS Authoritative Server v9.22 with LDAP backend (simple mode), using OpenLDAP (v2.4.22) for hosting our organization's domains (and reverse zones) and it has been working fine (low query times, reliable etc.) so we enjoy having all our organization's data stored/maintained in the same DIT in LDAP.

However, as PowerDNS Authoritative Server is preparing for the next version (3.0), it seems that the LDAP backend will be unmaintained (see: http://mailman.powerdns.com/pipermail/pdns-users/2011-March/007547.html) as the LDAP backend developer is no more working on it (see: http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03625.html).

It has been alleged (see ref. above) that "We don't think that LDAP is a particularly good or interesting place to store DNS data. It will for example have big problems with PowerDNSSEC because of lack of ordering." Moreover, PowerDNS LDAP backend (although current open bugs are very few and of relatively low severity) lacks features (e.g. Notify, which we implement using custom script, cron and notify-dns-slaves, see: http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html) and is not being evolved any more.

Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do not seem very well maintained either. In any case we prefer PowerDNS approach where backend implementation is cleaner and direct.

So, my questions:

   *  From the above and your experience, do you consider LDAP should
     not be preferred as DNS backend?
   * Should LDAP be avoided as a DNS/DNSSEC backend?
   * Would any companies / developer(s) from the OpenLDAP world -
     perhaps already using or interested in using DNS with LDAP backend
     - would be willing to devote some time to fix a couple of small
     bugs and keep the very well-designed and developed PowerDNS LDAP
     backend in shape? We could even start some community donation
     effort (to support this development), but I don't know if there is
     sufficient usage/interest in the LDAP backend that would generate
     enough funds.

In essence, should we drop LDAP as a DNS Record datastore, due to the lack of a properly maintained backend and/or unsuitability for (e.g. DNSSEC) evolution, or you think there IS interest for the maintenance / evolution of the LDAP backend by the OpenLDAP developers/community (even by becoming more openldap-oriented rather than being cross-platform)?

Best Regards,
Nick