BIND9 dyndb
Andrew Bartlett
abartlet at samba.org
Fri Jan 30 09:32:25 UTC 2026
On Fri, 2026-01-30 at 06:50 +0200, Alexander Bokovoy via samba-
technical wrote:
> On Пят, 30 сту 2026, Douglas Bagnall wrote:
> > The BIND9 DLZ interface is deprecated.
> >
> > I am not sure of the schedule but there are mentions of it around, including
> > the 9.20.4 release notes[1]:
> >
> > > the DLZ interface itself is going to be scheduled for removal,
> >
> > [1]https://bind9.readthedocs.io/en/v9.20.18/notes.html#id104
> >
> > The preferred replacement seems to be dyndb, which I think would
> > occasionally slurp records into the BIND9 database, rather than reading from
> > LDB for every request (Microsoft has a similarly loose coupling, according
> > to tests). There is an existing module called bind-dyndb-ldap.
> >
> >
> > In a Gitlab comment[2], Alexander said
> >
> > > We plan to add support of samba DC use case to bind-dyndb-ldap. Once
> > > that is done (and migration to support new bind 9.20+), will be able
> > > to drop need for dlz in samba.
> >
> > [2]https://gitlab.com/samba-team/samba/-/merge_requests/3932#note_2321941542
> >
> > I am curious whether anyone is currently working on this.
> >
> > https://github.com/freeipa/bind-dyndb-ldap seems a little ignored lately,
> > but maybe that is because it works perfectly.
>
> bind-dyndb-ldap is hosted at https://pagure.io/bind-dyndb-ldap. Github
> mirror was used for some CI experiments. Pagure itself is going to be
> decomissioned so recently we started moving from it to codeberg:
> https://codeberg.org/freeipa/bind-dyndb-ldap. This move is not complete
> yet.
>
> > I guess that the modifications for Samba would at least reflect the
> > different schema (for example "DnsRecord" vs "idnsRecord", which presumably
> > have different attributes). Things like `acl_from_ldap()` have me wondering
> > if there is a lot more to consider.
>
> There is an ongoing work to update bind-dyndb-ldap for bind 9.20+ API
> changes. It includes a substantial rewrite: https://codeberg.org/freeipa/bind-dyndb-ldap/pulls/244
>
> Adding Samba scheam is possible. As for ACLs, we have to deal with bind
> limitations here -- its model of what is allowed for modification is not
> really based on the permissions set in LDAP. In FreeIPA case we simply
> allowed administrators to provide snippets of bind configuration as part
> of the LDAP entries. If you expect AD DC to apply NT security model,
> then it needs to be managed in a way that converts it to bind-specific
> configuration on the fly. After all, access controls are evaluated by
> bind, not by the bind-dyndb-ldap.
I don't think that ACL model is going to work for Samba, so I wonder if
we just sunset BIND9 support with DLZ?
The internal server has proven itself pretty well over the years, and
we can continue to recommend folks put a real DNS server in front of it
with a conditional forward to Samba.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
More information about the samba-technical
mailing list