openldap, dlz and dynamic dns updates from isc-dhcpd

Evan Hunt each at
Mon Sep 24 22:31:42 UTC 2012

> Here's a possibly wrong assumption:  there are BIND deployments that
> use openldap (or an RDBMS, or something else) rather than zone files
> to hold DNS mappings (name to ip address & vice versa), and these
> alternative backends are updated when the DHCP server hands out or
> revokes a lease.
> Is this so? If so, how is the DNS information updated?

There are two sorts of DLZ driver out there -- the older ones that don't
support dynamic update and have to be statically linked into the "named"
binary to work, and then newer ones like Andrew Tridgell's, which are
run-time loadable and can (if desired) be written to accept updates via
dynaamic DNS.

There *is* an LDAP DLZ driver, but it's an old-style driver so it
can't accept DDNS updates.  You could probably write some kind of DHCP hook
that updated the LDAP data directly, *not* using dynamic DNS, but I don't
think that's what you were asking about.  To use LDAP *and* accept DDNS
updates, you'd need a new-style DLZ driver that supported LDAP, which is
certainly possible, but I don't know whether anyone's done it yet.  (I'm
guessing not, though; I think I would've heard.)

> > I'm not sure what you mean by "using encryption".
> :-)  I'm not sure either.  In DHCP config, within a zone { ... }
> block, there are key <keyname> directives.   It seems that BIND & DHCP
> can use a key to be sure of each other and the validity of DNS updates
> coming from the DHCP server.   Am I on the right track?   When I wrote
> 'encryption' this is what I was referring to.

Okay, you're talking about authentication using TSIG keys -- I thought
so, but wasn't quite sure. :)

There shouldn't be any conflict between that and DLZ.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list