BIND9 dyndb
Alexander Bokovoy
ab at samba.org
Fri Jan 30 04:50:58 UTC 2026
On Пят, 30 сту 2026, Douglas Bagnall wrote:
> The BIND9 DLZ interface is deprecated.
>
> I am not sure of the schedule but there are mentions of it around, including
> the 9.20.4 release notes[1]:
>
> > the DLZ interface itself is going to be scheduled for removal,
>
> [1]https://bind9.readthedocs.io/en/v9.20.18/notes.html#id104
>
> The preferred replacement seems to be dyndb, which I think would
> occasionally slurp records into the BIND9 database, rather than reading from
> LDB for every request (Microsoft has a similarly loose coupling, according
> to tests). There is an existing module called bind-dyndb-ldap.
>
>
> In a Gitlab comment[2], Alexander said
>
> > We plan to add support of samba DC use case to bind-dyndb-ldap. Once
> > that is done (and migration to support new bind 9.20+), will be able
> > to drop need for dlz in samba.
>
> [2]https://gitlab.com/samba-team/samba/-/merge_requests/3932#note_2321941542
>
> I am curious whether anyone is currently working on this.
>
> https://github.com/freeipa/bind-dyndb-ldap seems a little ignored lately,
> but maybe that is because it works perfectly.
bind-dyndb-ldap is hosted at https://pagure.io/bind-dyndb-ldap. Github
mirror was used for some CI experiments. Pagure itself is going to be
decomissioned so recently we started moving from it to codeberg:
https://codeberg.org/freeipa/bind-dyndb-ldap. This move is not complete
yet.
> I guess that the modifications for Samba would at least reflect the
> different schema (for example "DnsRecord" vs "idnsRecord", which presumably
> have different attributes). Things like `acl_from_ldap()` have me wondering
> if there is a lot more to consider.
There is an ongoing work to update bind-dyndb-ldap for bind 9.20+ API
changes. It includes a substantial rewrite: https://codeberg.org/freeipa/bind-dyndb-ldap/pulls/244
Adding Samba scheam is possible. As for ACLs, we have to deal with bind
limitations here -- its model of what is allowed for modification is not
really based on the permissions set in LDAP. In FreeIPA case we simply
allowed administrators to provide snippets of bind configuration as part
of the LDAP entries. If you expect AD DC to apply NT security model,
then it needs to be managed in a way that converts it to bind-specific
configuration on the fly. After all, access controls are evaluated by
bind, not by the bind-dyndb-ldap.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list