BIND9 dyndb

Fri Jan 30 14:20:30 UTC 2026

On Пят, 30 сту 2026, Norbert Hanke via samba-technical wrote:
> 
> On 30.01.2026 13:46, Alexander Bokovoy via samba-technical wrote:
> > On Пят, 30 сту 2026, Andrew Bartlett via samba-technical wrote:
> > > On Fri, 2026-01-30 at 06:50 +0200, Alexander Bokovoy via samba-
> > > technical wrote:
> > > > On Пят, 30 сту 2026, Douglas Bagnall wrote:
> > > > > The BIND9 DLZ interface is deprecated.
> > > > > 
> > > > > I am not sure of the schedule but there are mentions of it around, including
> > > > > the 9.20.4 release notes[1]:
> > > > > 
> > > > > > the DLZ interface itself is going to be scheduled for removal,
> > > > > [1]https://bind9.readthedocs.io/en/v9.20.18/notes.html#id104
> > > > > 
> > > > > The preferred replacement seems to be dyndb, which I think would
> > > > > occasionally slurp records into the BIND9 database, rather than reading from
> > > > > LDB for every request (Microsoft has a similarly loose coupling, according
> > > > > to tests). There is an existing module called bind-dyndb-ldap.
> > > > > 
> > > > > 
> > > > > In a Gitlab comment[2], Alexander said
> > > > > 
> > > > > > We plan to add support of samba DC use case to bind-dyndb-ldap. Once
> > > > > > that is done (and migration to support new bind 9.20+), will be able
> > > > > > to drop need for dlz in samba.
> > > > > [2]https://gitlab.com/samba-team/samba/-/merge_requests/3932#note_2321941542
> > > > > 
> > > > > I am curious whether anyone is currently working on this.
> > > > > 
> > > > > https://github.com/freeipa/bind-dyndb-ldap seems a little ignored lately,
> > > > > but maybe that is because it works perfectly.
> > > > bind-dyndb-ldap is hosted at https://pagure.io/bind-dyndb-ldap. Github
> > > > mirror was used for some CI experiments. Pagure itself is going to be
> > > > decomissioned so recently we started moving from it to codeberg:
> > > > https://codeberg.org/freeipa/bind-dyndb-ldap. This move is not complete
> > > > yet.
> > > > 
> > > > > I guess that the modifications for Samba would at least reflect the
> > > > > different schema (for example "DnsRecord" vs "idnsRecord", which presumably
> > > > > have different attributes). Things like `acl_from_ldap()` have me wondering
> > > > > if there is a lot more to consider.
> > > > There is an ongoing work to update bind-dyndb-ldap for bind 9.20+ API
> > > > changes. It includes a substantial rewrite: https://codeberg.org/freeipa/bind-dyndb-ldap/pulls/244
> > > > 
> > > > Adding Samba scheam is possible. As for ACLs, we have to deal with bind
> > > > limitations here -- its model of what is allowed for modification is not
> > > > really based on the permissions set in LDAP. In FreeIPA case we simply
> > > > allowed administrators to provide snippets of bind configuration as part
> > > > of the LDAP entries. If you expect AD DC to apply NT security model,
> > > > then it needs to be managed in a way that converts it to bind-specific
> > > > configuration on the fly. After all, access controls are evaluated by
> > > > bind, not by the bind-dyndb-ldap.
> > > I don't think that ACL model is going to work for Samba, so I wonder if
> > > we just sunset BIND9 support with DLZ?
> > That's an option, mostly about documentation changes to make sure
> > internal DNS server is properly promoted.
> It will be useful when samba's built-in DNS could be configured to listen on
> a different port so that the forwarding BIND9 can run on the same system.

It is already there for quite some time, since 4.17.0. Man smb.conf(5):

       dns port (G)

           Specifies which ports the server should listen on for DNS traffic.

           It makes possible to use another DNS server as a front and forward to Samba.

               Warning
               Dynamic DNS updates may not be proxied by the front DNS
               server when forwarding to Samba. Dynamic DNS update proxying depends on
               the features of the other DNS server used as a front.

           Default: dns port = 53

> 

-- 
/ Alexander Bokovoy