Hi Klaus, hi Andi, On So 09 Jan 2011 22:04:46 CET Klaus Knopper wrote:
2) We drop powerDNS and give bind a try. This means merely installing bind instead of powerDNS, appending a line to a configuration file and touching another one [1]. Regarding the simplicity, it could also be considered as an intermediate solution until we have something else.I strongly support this option. IMHO, DNS data just does not belong into LDAP. Bind is optimized to distribute DNS data with the most efficiency and reliability, and "PowerDNS" may just add an additional layer of abstraction that can introduce unwanted side effects like the one you observed. Btw, what was the reason to chose PowerDNS in Skolelinux as default, anyways? Just to "have everything in LDAP"? There was surely a discussion about this that I have missed.
for small customers I sometimes extract /etc/hosts files and dyndnsmasq configurations from LDAP via cron. (I am not throwing another dns service in the race, I am just pronouncing the benefits of LDAP2FILE syncs for DNS).
As DNS is a vital functionality (esp. with Kerberos) and LDAP _can_ fail in production sometimes I think it very wise to have DNS based on files (and not on an available slapd service).
However, with a regular or hook-based ldap->bind9-sync (i.e. after modifications of the info stored in LDAP), one must make sure, that---in case slapd is offline or dysfunctional---the system does not end up with an empty bind9 DNS-zone configuration...
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgp0AuCbXkC9X.pgp
Description: Digitale PGP-Unterschrift