Using OpenLDAP to configure Bind9 DNS Zones

Using OpenLDAP to configure Bind9 DNS Zones

I've recently started migrating much of our network services to OpenLDAP for the backend storage. I've switched completely from NIS authentication to LDAP, and even configured a Samba domain control for the few Windows logins that remain on our network.

For our internal DNS I run Bind9. Bind9 is notoriously hard for the average joe to configure, and to this point I've been using Webmin to manage my DNS entries. That works fine, but Ubuntu doesn't include Webmin packages, so I've been wanting to switch to something else. LDAP for the backend seemed like a perfect match.

At first I investigated using LDAP directly as the backend for DNS. It turns out this is highly experimental, and prevents Bind from doing any caching. The best solution is a package called ldap2dns. With ldap2dns it will automatically generate Bind9 zone files and restart Bind anytime your DNS entries in the LDAP server change.

The downside is that the ldap2dns package included in Ubuntu Hardy Heron is horribly out of date. You'll definitely want to skip the standard package and go straight to the source. Once installed, I found that the named.zones file it generated wouldn't include the full path to the individual zones. Bind9 wouldn't load the actual zone file by simply including the output named.zones file. I could have simply added a static include in my named.conf.local file pointing to my specific zone, but I wanted the flexibility of having Bind automatically find any other zones I might create inside LDAP in the future. This meant editing the source of ldap2dns.c and then recompiling.

I searched through the ldap2dns.c file for the following line:

fprintf(namedmaster, "zone "%s" %s {nttype master;ntfile "%s.db";n};n",
And changed it to read:
fprintf(namedmaster, "zone "%s" %s {nttype master;ntfile "/etc/bind/%s.db";n};n",

In my /etc/rc.local file, I added the following line:

cd /etc/bind/;ldap2dnsd -b "ou=DNS,dc=example,dc=com" -o db -L -h localhost -e "kill -HUP `cat /var/run/bind/run/`"

Obviously replace with your own domain name. The ldap2dnsd utility will watch your ldap tree once a minute, and if the serial number of the zone entry has changed, it will automatically update the zone files and restart bind.

I now use phpldapadmin to manage my DNS zones. As you can see in the command above, I created an Organizational Unit called "DNS" and place my zones within it. I didn't find any preconfigured templates for phpldapadmin, so I developed my own simple templates. Feel free to download them and try them out.

Posted by Tony on Feb 16, 2009 |