BIND9 dyndb
Norbert Hanke
norbert.hanke at gmx.ch
Fri Jan 30 14:03:11 UTC 2026
On 30.01.2026 13:46, Alexander Bokovoy via samba-technical wrote:
> On Пят, 30 сту 2026, Andrew Bartlett via samba-technical wrote:
>> On Fri, 2026-01-30 at 06:50 +0200, Alexander Bokovoy via samba-
>> technical wrote:
>>> On Пят, 30 сту 2026, Douglas Bagnall wrote:
>>>> The BIND9 DLZ interface is deprecated.
>>>>
>>>> I am not sure of the schedule but there are mentions of it around, including
>>>> the 9.20.4 release notes[1]:
>>>>
>>>>> the DLZ interface itself is going to be scheduled for removal,
>>>> [1]https://bind9.readthedocs.io/en/v9.20.18/notes.html#id104
>>>>
>>>> The preferred replacement seems to be dyndb, which I think would
>>>> occasionally slurp records into the BIND9 database, rather than reading from
>>>> LDB for every request (Microsoft has a similarly loose coupling, according
>>>> to tests). There is an existing module called bind-dyndb-ldap.
>>>>
>>>>
>>>> In a Gitlab comment[2], Alexander said
>>>>
>>>>> We plan to add support of samba DC use case to bind-dyndb-ldap. Once
>>>>> that is done (and migration to support new bind 9.20+), will be able
>>>>> to drop need for dlz in samba.
>>>> [2]https://gitlab.com/samba-team/samba/-/merge_requests/3932#note_2321941542
>>>>
>>>> I am curious whether anyone is currently working on this.
>>>>
>>>> https://github.com/freeipa/bind-dyndb-ldap seems a little ignored lately,
>>>> but maybe that is because it works perfectly.
>>> bind-dyndb-ldap is hosted at https://pagure.io/bind-dyndb-ldap. Github
>>> mirror was used for some CI experiments. Pagure itself is going to be
>>> decomissioned so recently we started moving from it to codeberg:
>>> https://codeberg.org/freeipa/bind-dyndb-ldap. This move is not complete
>>> yet.
>>>
>>>> I guess that the modifications for Samba would at least reflect the
>>>> different schema (for example "DnsRecord" vs "idnsRecord", which presumably
>>>> have different attributes). Things like `acl_from_ldap()` have me wondering
>>>> if there is a lot more to consider.
>>> There is an ongoing work to update bind-dyndb-ldap for bind 9.20+ API
>>> changes. It includes a substantial rewrite: https://codeberg.org/freeipa/bind-dyndb-ldap/pulls/244
>>>
>>> Adding Samba scheam is possible. As for ACLs, we have to deal with bind
>>> limitations here -- its model of what is allowed for modification is not
>>> really based on the permissions set in LDAP. In FreeIPA case we simply
>>> allowed administrators to provide snippets of bind configuration as part
>>> of the LDAP entries. If you expect AD DC to apply NT security model,
>>> then it needs to be managed in a way that converts it to bind-specific
>>> configuration on the fly. After all, access controls are evaluated by
>>> bind, not by the bind-dyndb-ldap.
>> I don't think that ACL model is going to work for Samba, so I wonder if
>> we just sunset BIND9 support with DLZ?
> That's an option, mostly about documentation changes to make sure
> internal DNS server is properly promoted.
It will be useful when samba's built-in DNS could be configured to
listen on a different port so that the forwarding BIND9 can run on the
same system.
More information about the samba-technical
mailing list