Review request: DNS server implementation

Michael Wood esiotrot at gmail.com
Wed Oct 13 06:37:59 MDT 2010


On 13 October 2010 14:15, simo <idra at samba.org> wrote:
> On Wed, 2010-10-13 at 23:08 +1100, tridge at samba.org wrote:
>> > Just my 2c.
>>  > We automated the installation of bind + our ldap backend in freeipa
>>  > pretty easily. Granted it would have to be adjusted to fit other
>>  > distributions due to where they place files, but that is simply a matter
>>  > of making some paths in the python scripts a variable.
>>
>> simply a matter ... yes, I thought this, till I started trying to
>> actually do it!
>>
>> It's the kerberos part that is the killer. It's just really
>> flakey. I've working on patches to improve it, but it will still be
>> less than ideal.
>
> Do you have any detail ? So far we haven't seen major problems, but we
> also had a dedicate person that knew the bind code base (and wrote
> bind-dyndb-ldap) and did most of the testing.
> But if there are intrinsic kerberos problems I am more than happy to
> help where I can.

I am sure this is not what tridge is referring to, but I'd much prefer
a command line option or something I can put into named.conf to
specify the keytab file to use instead of relying on an environment
variable.

Also, on Ubuntu, when you enable the Kerberos stuff, bind wants to
create a file called /var/tmp/DNS_104, which is denied by AppArmor.  I
don't know if that name is constant or what happens if there's already
a file/directory called that when bind starts, so my solution of
telling AppArmor to allow it seems possibly fragile.

I haven't tried letting Windows clients do dynamic DNS updates, so I
haven't used the patched version of bind yet.

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list