From: https://www.section6.net/wiki/index.

php/Configuring_DNS_zones_in_LDAP
===========================================================================
Configuring DNS zones in LDAP
From Section6wiki
Table of contents
1 Configuring DNS zones to use LDAP
1.1 Compiling BIND
1.1.1 BIND-SDB-LDAP
1.2 Setting up the schema
1.3 Configuring the named.conf
1.4 Adding records to the database
1.5 Testing DNS
1.6 Resources
[edit]
Configuring DNS zones to use LDAP
author: TBONIUS
Often it is desirable to store DNS information in a database rather than in zone
s that are flat ASCII text files. Storing these zone files in a database can gre
atly reduce administration overhead since associate information such as billing
contact, account management, etc. can be stored and processed inside the same da
tabase. Also, due to the nature of DNS design, information must be stored redund
antly on two or more hosts. The classical data replication through zone transfer
is unreliable, insecure and often difficult to administer.
To overcome this problem some projects have attempted to store DNS information i
n relational databases. One of the major issues with many of these attempts is t
he nature of DNS itself; being hierarchical it also requires the database to be.
Using a relational database to store DNS information can be undesirable, becaus
e it becomes difficult to store free form information as the name space for an o
rganization grows.
Enter LDAP. LDAP (Lightweight Directory Access Protocol) is probably the most wi
dely spread hierarchical database protocol used today. LDAP allows for flexibili
ty in its database schema, so as one's organization grows or changes, the databa
se used to store information reflecting that organization can also grown and cha
nge.
This article will discuss configuring BIND 9.3 to store its zone files in an LDA
P directory database. There are a few assumptions made here:
1. The Section6 Article "What Is LDAP?" (http://www.section6.net/wiki/index.php/
What_is_LDAP) has been read
2. The Section6 article "Using DNS With BIND" (http://www.section6.net/wiki/inde
x.php/Using_DNS_with_BIND) has been read
3. The Section6 Article "Keeping Your System Current With CVSUP" (http://www.sec
tion6.net/wiki/index.php/Keeping_your_FreeBSD_system_current_with_CVSUP) has bee
n read
4. A full and updated Ports tree exists on a FreeBSD computer
4. A functioning installation of OpenLDAP client and server exists on a FreeBSD
computer
[edit]
Compiling BIND
We first need to fetch and extract the source for BIND9 in the ports tree. We ca

n accomplish this task by going to the BIND directory :

root@host# cd /usr/ports/dns/bind9
root@host# make extract
This will extract the BIND9 source into a work directory under the ports tree. W
e then need to download a handy library that will allow bind to used the LDAP cl
ient libraries.
[edit]
BIND-SDB-LDAP
BIND-SDB-LDAP is a modification to the "Simplified Database" API that provides a
n LDAP back-end interface for BIND9 using the "sdb". With this API, BIND can sto
re zones in an LDAP database rather than in files. Note that when using sdb, the
zones are not cached in memory, BIND will actually perform a database lookup wh
enever it gets a query.
The BIND-SDB-LDAP tar ball is downloadable here. (http://www.section6.net/help/b
ind-sdb-ldap-1.0.tar.gz) Once downloaded, extract it to the directory of your ch
oice by running the following command:
root@host#tar -xzf bind-sdb-ldap-1.0.tar.gz
This will create a bind-sdb-ldap-1.0 directory with the source in it.
Change to the source directory of bind-sdb-ldap-1.0 and copy the ldapdb.c file t
o /usr/ports/dns/bind9/work/bind-9.3.1/bin/named/ and copy the ldapdb.h file to
/usr/ports/dns/bind9/work/bind-9.3.1/bin/named/include.
After the source files have been copied to the BIND9 work directory, we then nee
d to make a few modifications to the BIND9 source so that when compiled, it will
use the new APIs. Change directories to /usr/ports/dns/bind9/work/bind-9.3.1/bi
n/named/ and edit the Makefile.in file and make the following modifications wher
e you see these lines:
#
#Add database drivers here.
#
DBDRIVER_OBJS = ldapdb.@O@
DBDRIVER_SRCS = ldapdb.c
DBDRIVER_INCLUDES = -I/usr/local/include
DBDRIVER_LIBS = -L/usr/local/lib -lldap -llber -lresolv
Next we will need to modify the main.c file in the same directory and look for t
he following line:
/* #include "xxdb.h" */
We need to change this to use the LDAPDB source file:
#include <ldapdb.h>
In the same file, look for the initialization line:
/* xxdb_init(); */
We need to add a line below this to use the LDAPDB initialization function:
ldapdb_ini();

And finally we need to find the cleanup routine line:

/* xxdb_clear(); */
We need to add a line below this to use the LDAPDB cleanup function:
ldapdb_clear();
Once this file has been saved, we should be able to return to the main ports dir
ectory for BIND9 and try compiling it.
root@host# cd /usr/ports/net/dns/bind9
root@host# make install
[edit]
Setting up the schema
Now that we have compiled and installed our new BIND9, we need to extend the sch
ema of OpenLDAP for the storage of zone files in the LDAP database. Download the
dnszone schema file (http://www.section6.net/help/dnszone.zip) from Section6.ne
t and extract it. Once extracted, you can copy the dnszone.schema file to your /
usr/local/etc/openldap/schema directory with the rest of the LDAP schemas. Once
copied to our schema directory, simply edit the /usr/local/etc/openldap/slapd.co
nf file and add the following line under the rest of your schemas:
include

/usr/local/etc/openldap/schema/dnszone.schema

Once the schema has been included, we must restart OpenLDAP so that the slapd pr
ocess will extend the schmema.
root@host# /usr/local/etc/rc.d/slapd.sh stop
root@host# /usr/local/etc/rc.d/slapd.sh start
[edit]
Configuring the named.conf
The usual configuration for named is to store its zones in flat text files locat
ed somewhere on the system. The usual configuration in FreeBSD might look someth
ing like this:
zone "domain.com" {
type master;
file "zones/db.domain.com";
notify yes;
};
Instead of using the file option to store the zone information, we will replace
it with the database option and make a call to the ldapclient library:
zone "domain.com" {
type master;
database "ldap ldap://localhost/dc=domain,dc=com,o=DNS,dc=domain,dc=no 17
2800";
};
When doing lookups BIND will do a sub-tree search below the base in the URL. The
number 172800 is the TTL which will be used for all entries that do not have th
e dNSTTL attribute defined in the schema.

Also, if you did nto want named to attach anonymously to the LDAP database, you
could define something like:
ldap://localhost/dc=domain,dc=com,o=DNS,dc=domian,dc=no????!bindname=cn=admin%2c
dc=domain%2cdc=no,!x-bindpw=secret
In the previous example, named attached to the LDAP database as the admin user w
ith the password secret to perform its operations.
[edit]
Adding records to the database
Most administrator already use some sort of LDAP administration tool to perform
operations such as adding and removing account information from the database. Fo
r this example, we will supply what is commonly known as an LDIF file to use as
a guideline for adding records to the database. First let us look at what a stan
dard zone file might look like:
@

3600

IN

SOA

ns.domain.com. root.domain.com. (

2001030201 3600 1800 604800 86400 ) NS ns.domain.com. MX 10 mail.domain.com.

hosta
www
hostb

A
CNAME
A

10.0.0.10
hosta.my-domain.com.
10.0.0.11

We could represent this zone file with an LDIF file that would look something li
ke this:
dn: relativeDomainName=@, dc=domain, dc=com
objectClass: dNSZone
relativeDomainName: @
zoneName: domain.com
dNSTTL: 3600
dNSClass: IN
sOARecord: ns.domain.com. root.domain.com. 2001030201 3600 1800 604800 86400
nSRecord: ns.domain.com.
mXRecord: 10 mail.my-domain.com.
dn: relativeDomainName=hosta, dc=domain, dc=com
objectClass: dNSZone
relativeDomainName: hosta
zoneName: domain.com
dNSTTL: 86400
dNSClass: IN
aRecord: 10.10.10.10
dn: relativeDomainName=www, dc=domain, dc=com
objectClass: dNSZone
relativeDomainName: www
zoneName: domain.com
dNSTTL: 1800
dNSClass: IN
cNAMERecord: hosta.domain.com.
dn: relativeDomainName=hostb, dc=domain, dc=com
objectClass: dNSZone
relativeDomainName: hostb
zoneName: domain.com

dNSTTL: 3600
dNSClass: IN
aRecord: 10.10.10.11
The LDIF file is a file we manually create to enter the records into the databas
e. Try naming the file something like dnszone.ldif and then import the data into
the LDAP database with the following command:
ldapadd -x -H ldap://localhost -D "cn=admin,dc=domain,dc=com" -W -f dnszone.ldi
f
Where admin would be the name of the administrative account for OpenLDAP. If you
are using a different account name such as "Manager", be sure and pass that acc
ount name instead.
If you would rather use UI based LDAP administrative tools, Section6 recommends
the following:
GQ LDAP (http://biot.com/gq/index2.html) : A GTK-based LDAP client and administr
ation tool
PHP LDAP Admin (http://phpldapadmin.sourceforge.net) : A PHP based LDAP administ
ration tool
[edit]
Testing DNS
From here we should be able to restart BIND9 and test out our new configuration
by simply performing a lookup on the DNS server:
root@host# nslookup hosta.domain.com
Server: ns.domain.com
Address: 10.0.0.1
Name:
hosta.domain.com
Address: 10.0.0.10
Looks like our nameserver is functioning properly while storing its zone informa
tion in the LDAP database.
If you do run into any issues, or have additional problems or questions, feel fr
ee to post to the Section6 Support Forum (http://www.section6.net/board/) and ch
eck out the additional resources listed below:
[edit]
Resources
The LDAP sdb back-end for BIND 9 (http://www.venaas.no/ldap/bind-sdb/) project h
ome page
The BIND9 network (http://www.bind9.net/) information website
The LDAP guru (http://www.ldapguru.com/) Public Information Resource
Retrieved from "https://www.section6.net:443/wiki/index.php/Configuring_DNS_zone
s_in_LDAP"