[Pdns-users] Status of the LDAP backend in 3.0 release

Nick Milas nmilas at admin.noa.gr
Sat Apr 30 08:00:57 UTC 2011

On 23/3/2011 11:05 πμ, bert hubert wrote:

> To clarify, PowerDNS development happens because one or more of the
> following three reasons:
> ...
> We also develop quite some things because, frankly, we find them cool
> For LDAP, right now none if these things is the case. 1) We don't feel that
> LDAP is a particularly good or interesting place to store DNS data. It will
> for example have big problems with PowerDNSSEC because of lack of ordering.
Although there has been some time since this thread started, and nothing 
has changed in essence (we have no news from Udo Rader who offered to 
work on the issues), I would like to add a couple of points.

1. I really find storing DNS records in LDAP cool and fun, and I have 
been wondering why there is so little interest for it.
2. I have discussed the issue in openldap mailing list (see: 
and the associated thread) and people there think too that:

    * LDAP *IS *the best place to store DNS data
    * Maintaining/evolving the PowerDNS LDAP backend is "interesting and
      worthwhile" (but noone volunteered to work on it, at least yet)

As I have said in the past, I agree with the above. It strikes me that, 
although LDAP seems perhaps the best solution to store DNS records (at 
least from a potential performance perspective), there seems to be so 
little use of it! I will attribute this to:

    (a) BIND ldap backend (dlz / sdb) being highly experimental and
    practically unsuitable for production
    (b) lack of publicity about PowerDNS itself, let alone its LDAP backend.
    (c) lack of "critical momentum" for PowerDNS - LDAP, mainly caused
    by lack of case studies, performance test results (e.g. LDAP vs
    MySQL backends), white papers, studies with focus on large domains,
    etc. - to prove beyond doubt it's worth it even for enterprise use.
    (d) lack of nice management tools that would allow (LDAP-stored) DNS
    Record management using an easy and efficient GUI (which would also
    enforce all needed checks when changing records etc.) The reason for
    this is (b) and (c) above. But, there is some ongoing activity on
    this (see for example the GoSA project:
    For our organization's needs, we have developed a php application
    which is very convenient (but would require a lot of work to become
    more generic and programming is rather non-professional).

So, considering the above, I would like to underline that LDAP should 
NOT become unmaintained:

    (i) It would not be difficult to include at least the proposed patch
    for Ticket #313
    in one v3.0 build so we can install and test.
    (ii) I would encourage PowerDNS developers to only provide a
    solution for Ticket #260 (= #323) (this time/effort should be very
    low) which is the minimum to keep LDAP backend in production status
    in the new versions. So, it will gain time to hopefully build up
    (b), (c), (d) above.

I have no personal reasons to promote this work (it would have been 
easier for me and would require much less time than what I am doing now 
to switch to any other backend), but, feeling comfortable in a nice 
community like this, I have publicly expressed my feelings regarding 
what I believe is/should be a real power in PowerDNS which we all want 
to thrive.


More information about the Pdns-users mailing list