Review request: DNS server implementation

Michael Wood esiotrot at
Wed Oct 13 06:37:59 MDT 2010

On 13 October 2010 14:15, simo <idra at> wrote:
> On Wed, 2010-10-13 at 23:08 +1100, tridge at wrote:
>> > Just my 2c.
>>  > We automated the installation of bind + our ldap backend in freeipa
>>  > pretty easily. Granted it would have to be adjusted to fit other
>>  > distributions due to where they place files, but that is simply a matter
>>  > of making some paths in the python scripts a variable.
>> simply a matter ... yes, I thought this, till I started trying to
>> actually do it!
>> It's the kerberos part that is the killer. It's just really
>> flakey. I've working on patches to improve it, but it will still be
>> less than ideal.
> Do you have any detail ? So far we haven't seen major problems, but we
> also had a dedicate person that knew the bind code base (and wrote
> bind-dyndb-ldap) and did most of the testing.
> But if there are intrinsic kerberos problems I am more than happy to
> help where I can.

I am sure this is not what tridge is referring to, but I'd much prefer
a command line option or something I can put into named.conf to
specify the keytab file to use instead of relying on an environment

Also, on Ubuntu, when you enable the Kerberos stuff, bind wants to
create a file called /var/tmp/DNS_104, which is denied by AppArmor.  I
don't know if that name is constant or what happens if there's already
a file/directory called that when bind starts, so my solution of
telling AppArmor to allow it seems possibly fragile.

I haven't tried letting Windows clients do dynamic DNS updates, so I
haven't used the patched version of bind yet.

Michael Wood <esiotrot at>

More information about the samba-technical mailing list