[Date Prev][Date Next]
Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
- To: firstname.lastname@example.org
- Subject: Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
- From: "email@example.com" <firstname.lastname@example.org>
- Date: Thu, 28 Apr 2011 08:46:28 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=bitrate.net; s=default; t=1303994792; bh=azRSYOg6mOUsYq5axBo79qp5AbzLO7d/k54mciOGfrE=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=xmGvnesuWusgQDRczh7rV5hnevPCWQVW3lb1WeUCp8SXQA0qU/4W89OW5kBa2aF+Z FLFjr61MyaZA4pR6RqV+4hwAZJXdGifdn7Dr6OgMRC0VdP4DgXqg21xU7t3xOr0aq2 g+d97fpU4QfkBFBQYU9zvXiRt9l26OPEHyBUN+HE=
- In-reply-to: <4DB933D6.email@example.com>
- References: <4DB933D6.firstname.lastname@example.org>
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:126.96.36.199) Gecko/20110303 Thunderbird/3.1.9
On 2011.04.28 05.31, Nick Milas wrote:
It has been alleged (see ref. above) that "We don't think that LDAP
is a particularly good or interesting place to store DNS data.
this doesn't make much sense to me. from the perspective of traditional [e.g. non dnssec], it's simply another place in which data can be stored. from a dnssec perspective, you could perhaps argue there is additional complexity since rrsets and zones now need to be signed, but really, this is still fundamentally no different than singing the data stored via some other means. the data must be parsed, processed, and written, in some way. just as there are already mechanisms in place for doing this with traditional text files, the very same could be done for data stored in ldap. whatever needs to be done must as some point be done for the first time. the existence of "natural" methods like writing to a text file certainly don't preclude other methods from having value simply because they've not yet been given a formal implementation.
additionally, there is software like phreebird [a dnssec proxy], which allow you to retain all of your dns data in its traditional form, and still provide signed zones. lastly, iirc, the notion of a dns related overlay and/or backend has come up here on occasion. not only would this obviously be a natural fit for openldap, the concepts involved in dnssec could be integrated quite nicely.
Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ)
do not seem very well maintained either. In any case we prefer
PowerDNS approach where backend implementation is cleaner and
with respect to bind, if i were you, i'd keep up to date on the development of bind 10. while it's not my place to speak for the developers, i think you're likely to find quite a bit of attention given to abstraction between the server and its backend ;)