Hi Nick, hi all!
My 2 cents on this:
I think there are two quite independent questions here, which are:
1. Is LDAP a good database to store DNS information in? I mean, conceptually.
2. How is the support for LDAP as a backend database in various DNS server implementations?
Talking about question #1:
What are the alternatives available?
- files ? - relational databases?
IMO the good old zone files are not really up to the task unless you are editing them manually in vi. Whenever you are looking for some kind of automation, you need to write way more complex scripts than you want to. And you always risk that any manual edits of the zone files break your parser or anything. So zone files are really not an option if you ask me.
Wether you use LDAP or relational databases for some people is a question of taste or what you are used to. If you have never worked with LDAP but you are very confident with MySQL, then you may for sure prefer a relational database as backend storage. But this is a bit of the good old "if the only tool you have is a hammer, ..." kind of thing.
LDAP is different from relational databases in a number of aspects. To name a few:
- LDAP is query optimized while relational databases are optimized for OLTP. In other words, LDAP's perforamance on updates may be a lot worse than that of a relational database. But it's query performance should be a lot better. I do admit though that given today's processing power available, in many cases it will be hard to measure the difference here. - LDAP stores tree like structures, not tables. LDAP is really nice if you want to have one tree with different branches which different people, groups, organizations have access to. LDAP ACLs are very fine graine. Many SQL databases (especially the "cheaper" ones; cheaper in the sense of resources, not money) have nothing at all or very black / white ACL schemas available. - LDAP has been designed for replication, which is a major plus in many setups. Yes, you can replicate relational databases as well, but this is a quite complex process. See also the last remark. - If one understands how LDAP schemas work, one can very easily attrach attributed needed by DNS to exsting LDAP objects describing your systems.
So IMO LDAP *is* the best suited backend storage for DNS database data that I know of. (I am always open to new ideas I may not yet have heared or though of.)
Talking about question #2:
I never used PowerDNS, we always went with BIND. Fortunately the DLZ parts made it into the code and the version which has them built in made it into the standard Linux distros in the meanwhile.
AFAIK there are no plans to drop LDAP backend support from BIND. So maybe you should just consider to switch there.
What does PowerDNS to what BIND doesn't do for you?
Regards, Torsten
On Thu, 28 Apr 2011 12:31:02 +0300, Nick Milas nick@eurobjects.com wrote:
Hi,
We've been using for several months PowerDNS Authoritative Server v9.22 with LDAP backend (simple mode), using OpenLDAP (v2.4.22) for hosting our organization's domains (and reverse zones) and it has been working fine (low query times, reliable etc.) so we enjoy having all our organization's data stored/maintained in the same DIT in LDAP.
However, as PowerDNS Authoritative Server is preparing for the next version (3.0), it seems that the LDAP backend will be unmaintained (see:
http://mailman.powerdns.com/pipermail/pdns-users/2011-March/007547.html)
as the LDAP backend developer is no more working on it (see:
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03625.html).
It has been alleged (see ref. above) that "We don't think that LDAP is a
particularly good or interesting place to store DNS data. It will for example have big problems with PowerDNSSEC because of lack of ordering."
Moreover, PowerDNS LDAP backend (although current open bugs are very few
and of relatively low severity) lacks features (e.g. Notify, which we implement using custom script, cron and notify-dns-slaves, see:
http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html)
and is not being evolved any more.
Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do not seem very well maintained either. In any case we prefer PowerDNS approach where backend implementation is cleaner and direct.
So, my questions:
* From the above and your experience, do you consider LDAP should not be preferred as DNS backend? * Should LDAP be avoided as a DNS/DNSSEC backend? * Would any companies / developer(s) from the OpenLDAP world - perhaps already using or interested in using DNS with LDAP backend - would be willing to devote some time to fix a couple of small bugs and keep the very well-designed and developed PowerDNS LDAP backend in shape? We could even start some community donation effort (to support this development), but I don't know if there is sufficient usage/interest in the LDAP backend that would generate enough funds.In essence, should we drop LDAP as a DNS Record datastore, due to the lack of a properly maintained backend and/or unsuitability for (e.g. DNSSEC) evolution, or you think there IS interest for the maintenance / evolution of the LDAP backend by the OpenLDAP developers/community (even
by becoming more openldap-oriented rather than being cross-platform)?
Best Regards, Nick