[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status



Hi Nick, hi all!

My 2 cents on this:

I think there are two quite independent questions here, which are:

1. Is LDAP a good database to store DNS information in? I mean,
conceptually.

2. How is the support for LDAP as a backend database in various DNS server
implementations?

Talking about question #1:

What are the alternatives available?

- files ?
- relational databases?

IMO the good old zone files are not really up to the task unless you are
editing them manually in vi. Whenever you are looking for some kind of
automation, you need to write way more complex scripts than you want to.
And you always risk that any manual edits of the zone files break your
parser or anything. So zone files are really not an option if you ask me.

Wether you use LDAP or relational databases for some people is a question
of taste or what you are used to. If you have never worked with LDAP but
you are very confident with MySQL, then you may for sure prefer a
relational database as backend storage. But this is a bit of the good old
"if the only tool you have is a hammer, ..." kind of thing.

LDAP is different from relational databases in a number of aspects. To
name a few:

- LDAP is query optimized while relational databases are optimized for
OLTP. In other words, LDAP's perforamance on updates may be a lot worse
than that of a relational database. But it's query performance should be a
lot better. I do admit though that given today's processing power
available, in many cases it will be hard to measure the difference here.
- LDAP stores tree like structures, not tables. LDAP is really nice if you
want to have one tree with different branches which different people,
groups, organizations have access to. LDAP ACLs are very fine graine. Many
SQL databases (especially the "cheaper" ones; cheaper in the sense of
resources, not money) have nothing at all or very black / white ACL schemas
available.
- LDAP has been designed for replication, which is a major plus in many
setups. Yes, you can replicate relational databases as well, but this is a
quite complex process. See also the last remark.
- If one understands how LDAP schemas work, one can very easily attrach
attributed needed by DNS to exsting LDAP objects describing your systems.

So IMO LDAP *is* the best suited backend storage for DNS database data
that I know of. (I am always open to new ideas I may not yet have heared or
though of.)

Talking about question #2:

I never used PowerDNS, we always went with BIND. Fortunately the DLZ parts
made it into the code and the version which has them built in made it into
the standard Linux distros in the meanwhile.

AFAIK there are no plans to drop LDAP backend support from BIND. So maybe
you should just consider to switch there.

What does PowerDNS to what BIND doesn't do for you?

Regards,
Torsten



On Thu, 28 Apr 2011 12:31:02 +0300, Nick Milas <nick@eurobjects.com>
wrote:
> Hi,
> 
> We've been using for several months PowerDNS Authoritative Server v9.22 
> with LDAP backend (simple mode), using OpenLDAP (v2.4.22) for hosting 
> our organization's domains (and reverse zones) and it has been working 
> fine (low query times, reliable etc.) so we enjoy having all our 
> organization's data stored/maintained in the same DIT in LDAP.
> 
> However, as PowerDNS Authoritative Server is preparing for the next 
> version (3.0), it seems that the LDAP backend will be unmaintained (see:

> http://mailman.powerdns.com/pipermail/pdns-users/2011-March/007547.html)

> as the LDAP backend developer is no more working on it (see: 
>
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03625.html).
> 
> It has been alleged (see ref. above) that "We don't think that LDAP is a

> particularly good or interesting place to store DNS data. It will for 
> example have big problems with PowerDNSSEC because of lack of ordering."

> Moreover, PowerDNS LDAP backend (although current open bugs are very few

> and of relatively low severity) lacks features (e.g. Notify, which we 
> implement using custom script, cron and notify-dns-slaves, see: 
>
http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html) 
> and is not being evolved any more.
> 
> Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do 
> not seem very well maintained either. In any case we prefer PowerDNS 
> approach where backend implementation is cleaner and direct.
> 
> So, my questions:
> 
>     *  From the above and your experience, do you consider LDAP should
>       not be preferred as DNS backend?
>     * Should LDAP be avoided as a DNS/DNSSEC backend?
>     * Would any companies / developer(s) from the OpenLDAP world -
>       perhaps already using or interested in using DNS with LDAP backend
>       - would be willing to devote some time to fix a couple of small
>       bugs and keep the very well-designed and developed PowerDNS LDAP
>       backend in shape? We could even start some community donation
>       effort (to support this development), but I don't know if there is
>       sufficient usage/interest in the LDAP backend that would generate
>       enough funds.
> 
> In essence, should we drop LDAP as a DNS Record datastore, due to the 
> lack of a properly maintained backend and/or unsuitability for (e.g. 
> DNSSEC) evolution, or you think there IS interest for the maintenance / 
> evolution of the LDAP backend by the OpenLDAP developers/community (even

> by becoming more openldap-oriented rather than being cross-platform)?
> 
> Best Regards,
> Nick