ldapdns / ldapaxfr


welcome to LDAPDNS.


i wrote LDAPDNS simply because there is no other LDAP<->DNS gateway that
I found useful, and infact, there are/were only two others that I am/was
aware of:
	1. Microsoft Active Directory
	2. BIND+LDAP (patch)

If you need to know why these are completely wrong, go elsewhere,
because I'm not going to explain it in this README.

Still here?

LDAPDNS is a fast, rhobust, and powerful content DNS server.

It does not do:
	recursive resolving
	proxying
	caching

or anything else but serve DNS content.

The first version of LDAPDNS was written as a patch to DJBDNS - a very
fine DNS server. However, OpenLDAP was unstable at the time, and had
lots of bugs in the client-side code. It also blocked frequently, and
even sometimes disappeared completely.

LDAPDNS 2 is a rewrite that primarily addresses problems with OpenLDAP,
and also succeeds the original: It is faster than other nameservers, and
can scale above and beyond any other nameserver. <README.comparison>

LDAPDNS does some things that other nameservers don't -- a kind of
innovation if you will -- and AFAIK, is the only nameserver that
supports generic records AND still compresses domain-names inside of
them <README.generic-rr>

Like DJBDNS, it supports "split-horizon" DNS, and also puts in some
offensive programming tactics that make LDAPDNS safe to use.
	a remote user cannot write to the LDAP server (permissions)
	a remote user cannot trash the filesystem
	a remote user cannot gain access to a "shell"
some of the should-not's :)
	a remote user should not be able to crash LDAPDNS

that's a hard one. I'm not as good a programmer as DJB -- but his
tactics have changed my code - and continue to. One day, I'll be able to
make a guarantee :)

Like BIND, you can make binary packages of LDAPDNS, and unlike the ISC,
I will actually try and help you with it! Redistribution of LDAPDNS is a
good thing...

If you have any questions at all about LDAPDNS, feel free to contact me
directly; all my relevent contact information is on my website.

administration tools readme

this assumes ldapdns was setup into /service/ldapdns using ldapdns-conf
first note:
these tools ONLY work with the vanilla ldapdns system. they're not
suited for Active Directory or BIND. there are existing tools for that.

i also assume that you've installed perl, and at least Net::LDAP.

configuration:

1.	create a directory off of home called ~/.ldapdns/
	* optional: more than one user can "share" a config by creating
	/.ldapdns/ or (admintooldir)/.config/ but be warned; these
	users will have access to your LDAP password.

	* optional: this directory is also read from $ROOT;
	you can use that too

	this directory is called $ROOT for the remainder of this document

2.	create two directories:
		$ROOT/env
		$ROOT/root
	copy the files LDAP_BINDDN LDAP_HOST and LDAP_SUFFIX from
	/service/ldapdns/env to $ROOT/env

	copy the file "password" from /service/ldapdns/root into $ROOT/root

	* optiona: make symlinks instead of directories;
		ln -s /service/ldapdns/env $ROOT/env
		ln -s /service/ldapdns/root $ROOT/root

3.	if you don't use TLS/SSL (e.g. LDAPS) then comment out that code
	at the top of config.pl and:
		echo 1 > $ROOT/env/TRUSTED_NETWORK

4.	if you're going to be using transfer_zone to transfer zones from
	another nameserver into your directory, note that transfer_zone has
	TWO MODES of operation:
		1. a normal zone-transfer tool
		2. a zone-migration tool
	to invoke "type 2" set two envrionment variables prior to use:
		IP		the local IP of the nameserver
		LOCAL_NS	nameservers (names) handling PTR entries...
	you may need to hack this a bit yourself... contact me if you have
	any questions...

5.	another possibility (thanks to <jordan@mjh.teddy-net.com>) is to use
	secondary_zone; which basically eats BIND zone files and populates
	the directory. this can be very useful for "trying out" data. some
	warnings (from me):
		1. make sure that if you're going to use $RELATIVE_NAMES
		that you set it in the environment whenever you run
		secondary_zone

		(more to come)

and that's it! the admin scripts should now work as you'd expect.
Rather: as I would expect.

just remember that set_sub_alias/mx ACTUALLY modifies the "source"
instead of the "destination" (think of these as the direction of
aliasing)

the zone-transfer server (ldapaxfr) works similar to djbdns axfrdns
except that it pulls "zones" out of the ldap server.

the zone-transfer server REQUIRES that the AXFR environment variable be
set to:
	a single dot
or
	a root of the attempted zone

before allowing a zone transfer to occur. AXFR can be disabled (by not
setting the AXFR environment variable, or setting it to an empty string)
and ldapaxfr will still answer regular queries via TCP.

this change is primarily to support APNIC (asia and australia) domains
that insist on TCP service but the administrator does not want wide-open
zone transfers...

sample/axfr contains a default configuration for this.

a lot of people are curious as to how ldapdns stacks up to other DNS
servers.

			ldapdns		djbdns	bind	msdns
-----------------------------------------------------------------------
threaded        yes     no[11]  no      probably
scalable        yes     no      no[6]   no[8]
live update     yes[1]  yes[3]  yes[7]  yes[9]
bind zone file  yes[2]  no[4]   yes     yes[2]
ldap support    yes     no      no      yes
client diff.    yes     yes     no      yes
recursive       no      yes[5]  yes     yes
size (in lines) 6k      11k     233k    ?[10]
unixish?        yes     yes[12] yes     no
windows?        no      no      yes     yes

[1]	ldapdns supports live update by-way of it's LDAP server
	security is enforced by the LDAP server
[2]	MS-DNS and ldapdns can both import BIND zone files.
[3]	djbdns does not keep queries in memory; all requests go to the disk
[4]	there are third party tools to support imports
[5]	djbdns uses a tool called dnscache to provide recursive-resolver
	capabilities. i highly recommend it's use.
[6]	bind is about as un-scalable as you can get. it's bloated and
	sluggish, it is NOT multithreaded, and must keep all records in
	memory.
[7]	bind supports live updates through the NS-UPDATE protocol which
	tries to attach modification requests into the DNS protocol stream.
	there are no security considerations whatsoever when using NS-UPDATE
[8]	i discount MSDNS scalability simply because it isn't tunable, and
	responsiveness does not seem to increase linearly as ram and cpus
	increase.
[9]	MSDNS also supports NS-UPDATE, but it is less favored that
	Microsoft's internal update that relies on Active Directory.
[10] my guess? huge.
[11] djbdns would never benefit from a threaded core. the response loop
	is tighter than a single task-switch in many cases. preforking can
	improve response times on multiprocessor machines- but nowhere else.
[12] unixish on djbdns means many things. i suspect djbdns will be the
	last djb software written for unixish systems. take this how you
	like.
[*]	size in LOC (lines of code) is difficult to understand. said
	plainly, the less code there is, the easier it is to determine where
	problems are. LDAPDNS is huge (imho) as a nameserver (non-proxying,
	non-caching), and yet I cannot imagine that even 10% of BIND is
	"only" the content serving part.

security comparisons are difficult to come by. MSDNS is highly
integrated into Active Directory, so you could say that any and all
Active Directory bugs are also bugs to MSDNS. Likewise, LDAPDNS is at
the mercy of your LDAP directory. BIND is historically bad -- and the
only other nameserver that truly controls its surroundings is DJBDNS. It
shouldn't suprise you that DJBDNS has a better security record than
BIND, but with proper premaintainence, it should be possible to set up
BIND in a secure environment.

interestingly enough, MS-DNS, the only really-commercial product that I listed
is NOT the one with the security guarantee. presently only djbdns comes with a
security guarantee.

LDAPDNS should be adaquite: it does not cache, nor allow editing of the
directory. It runs in a chrooted jail, with minimal permissions. it
cannot be poisioned by any conventional means, and even if the LDAPDNS
machine is comprimised, this does not mean that false DNS data can be
generated (a short explaination on that: someone would have to replace
the ldapdns server with a fake one with fake data. running a read-only
filesystem is a good way to guarantee this doesn't happen -- ldapdns
does not require write-access anywhere)

Addendum:

Many people check their LDAPDNS performance by timing something like
this:

$ time for D in `seq 1 1000`; do host -a domain.com ip.ldapdns; done >/dev/null

And then wonder how could ldapdns _possibly_ be faster than BIND or
DJBDNS!

The simple answer is that for such a small load, it never will be. BIND
and DJBDNS can take advantage of having their records stored in memory,
and querying an external source will never be faster than that...

... unless your domain structure is so large and your requests are so
diverse that you cannot store your records in memory.

However, _updating_ the data that LDAPDNS is _much_ faster than BIND or
DJBDNS. Plus you get to take advantage of the replication in your LDAP
server which is likely to be much more efficient than BIND or DJBDNS.

Additional addendum:

Run properly, it should be impossible for anything short of a DOS to
stop LDAPDNS, and the threading core of LDAPDNS makes that rather
difficult. I have tried to provide instructions as-to what properly
really means, but the fact is that a would-be attacker has a much better
chance against your directory than they do against my nameserver.
LDAPDNS is an extremely simple piece of equipment -- it doesn't need to
write anything, it doesn't store anything the user says. It's content
only, chrooted, unprivelged process. The user doesn't have any control
over any buffer (the response buffer code is almost identical to what
djbdns uses) so LDAPDNS is about as low-risk as you can get.

If you do not believe me, that's fine. Look at the code, and tell me
what you do believe. I'll make every effort to fix every bug as quickly
as possible -- I'll accept patches too. I'll never charge for updates
(ISC), and I'll often add features just because they were requested. I
strongly believe that LDAPDNS is the best kind of free software because
the author is sticking out the proverbial neck here.

To configure LDAPDNS, you will need some kind of LDAP browser, or my
administration scripts. See README.admin for details on those. This
document describes the real deal :)

ldapdns supports _THREE_ different schemas. If you're using Microsoft
Active Directory, or BIND+LDAP, then this document will not help you.
I'm afraid I haven't written much documentation on these things yet, but
by poking around the FAQ, you may be able to get them working.

ldapdns DOES SUPPORT AXFR: see INSTALL or README for details about it.

ldapdns looks up DNS records in an LDAP directory. domains and zones are
split onto a string of domainComponent (dc) objects, and use attributes
to resource records on a dnsDomain object.

ldapdns walks the tree up and down, first up to find SOA/NS records (it
won't serve a request unless it has found an SOA/NS record somewhere in
a domain's rootsor in the domain itself; e.g. www.nimh.org doesn't
require an SOA/NS if nimh.org has one)

the second pass is to find wildcards:
        dc=www, dc=nimh, dc=org, [suffix]
        dc=*, dc=nimh, dc=org, [suffix]
        dc=*, dc=org, [suffix]

note that ldapdns NEVER recursively resolves; it ONLY operates as a root
server. this will likely never change.

resource records (RR) are mapped to LDAP attributes:
	SOA	-- sOARecord
	NS	-- nSRecord
	A	-- aRecord
	MX	-- mXRecord
	CNAME	-- cNAMERecord
	TXT	-- description
	PTR	-- cNAMERecord or seeAlso
	*	-- photo

all "domain names" in fields must be fully qualified: you may leave off
the trailing dot. If you don't like this, search the FAQ for
RELATIVE_NAMES

aRecord
	this can be in one of the following forms:
		a.b.c.d
		a.b.c.d%ID
		A.B.C.D/CIDR=a.b.c.d
		A.B.C.D/E.F.G.H=a.b.c.d
	the last three forms are for implementing "split-horizon" DNS, and
	can be useful if you want to serve a different address based on the
	connecting client.

	"split-horizon" has not yet been well documented. see the FAQ for
	more details.

sOARecord
	this is 5 numbers seperated by whitespace.
	serial refresh retry expire minimum

	the defaults are:
	nnn 3600 900 36000000 3600

	where 'nnn' is the last-modified time of the DN.

	this attribute has side-effects: If you start this with an asterisk,
	this field will disable the entire zone.

	note that under LDAPDNS you DO NOT NEED sOAReocrds! they can be
	emulated- but note you WILL need nSRecords....

nSRecord
	this is a domain name.
	it can also be a single @ which allows you to use the domains
	specified in the environment variables $NS and $NSx (NS1, NS2, etc)

	this specifies where a zone is.

	if you create an nSRecord without ANY OTHER RECORDS, LDAPDNS will
	treat this as a referral, and refer caching DNS proxies to the real
	server. (clearing the AD bit)

mXRecord
	this is a preference, followed by whitespace, followed by a name.
	this works exactly like "real MX records"

	LDAPDNS will attempt to resolve these names if they are local,
	placing the results in the ADDITIONAL section. This is useful for
	caches.

cNAMERecord
	this is a domain name.

	in the in-addr.arpa. tree, these return PTR records _unless_ the
	target is outside of the directory OR retargets the in-addr.arpa.
	tree, in which case it returns CNAME records.

	otherwise, it returns CNAME records.

	LDAPDNS will attempt to resolve these names if they are local,
	placing the results in the ADDITIONAL section. This is useful for
	caches.

description
	this is a free-form text string.
	a hack splits this on the pipe(|) character. this is useful for
	returning multiple TXT names.

photo
	this is a "catch all" record.

	it is always in binary. the exact format lends itself to being
	compressed in DNS packets:

		0x00-0xFE	literal octet
		0xFF 0xFF	literal 0xFF octet
		0xFF 		DNS-compressed name (will be recompressed
					to safe space) follows

	this helps save space and reduce the need for TCP connections.

	this allows LDAPDNS to support _all_ RR's as efficiently as any
	other nameserver -- better still than some.

the add_generic_record and set_generic_record tools use a format string
to pack the data properly. since both take the same arguments, i'll
refer to both as $GENERIC

this document lists the format-specifications needed to make various
kinds of generic records.

-----

to make a RP (responsible person):

$GENERIC 37 'A' emailaddress


to make a SRV (service locator):

$GENERIC 33 'nnnA' priority weight port targetdns


more to come!

do you use ldapdns?
do you like it? do you want to know how you can help?

1. what direction should ldapdns take? if you can code, start coding. if
you can not, tell me. i can do things I know i want to do, and I can do
things I don't know i want to do. the trick is to make me want it :)

some coding projects i'm not interested in writing, but interested in
seeing:
	a) graphical front-ends (specifically for DNS)

2. document things! i don't like pulling double duty, and i only speak
and write english. so translate my documentation into other forms, or
write how-to's in other languages. write a book about life with
ldapdns :)

some good documentation projects:
	a) a real quickstart guide :)
	b) tuning options that work for your situation (esp. OpenLDAP
       related)

3. distribution. mention ldapdns on your website, and pester your
favored distribution to include it. tell your friends. make fun of BIND
users.

Simple Updates and true replication...This is the future.
Inflexible text files and zone transfers just have to be
history soon I hope (although rsync over ssh with tinydns
is somewhat nicer than Bind already).
	-Andreas Brenk

Calculated dns using ldapdns

TODO: this documentation stinks


Q: I have a tree that looks like this: cn=personname, o=myorg
   they have a dc attribute called "heaven" and i want this to
   be for heaven.af.mil, how do I do this?

A: follow these steps
	1. set your LDAP_SUFFIX=o=myorg
	2. create a $ROOT/search that contains the following line:
af.mil          dc

add the following to your directory:

dn: cn=Mrs. Brisby, dc=dns, o=myorg
objectClass: person
objectClass: dcObject
objectClass: dnsDomain
cn: Mrs. Brisby
sn: Brisby
dc: heaven
aRecord: 192.168.1.3

so, you want to install via apt or dpkg?

i cannot yet help you make an APT repository, but I _may_ be able to
help you most of the way. if you follow these directions, you should
have a functioning debian package. having that package, you should be
able to find some APT-HOWTOs laying around the internet and create a
repository for yourself.

the order in which things happen is still not completely clear to me, so
while I _think_ these instructions make a functioning debian package,
I could be very mistaken.

addendum: Toni Mueller pointed out that making debian packages isn't
hard at all. the debian toolchain does most of the work for you. I just
happen to have not used the debian toolchain.

# cp ldapdns.tgz ldapdns-2.00-8.tar.gz
# tar xzf ldapdns-2.00-8.tar.gz
# cd ldapdns-2.00-8
# ./debian/rules binary
# cd ..

you should now have a: ldapdns-2.00_8-1_i386.deb (or whatever platform
you're running on).

you cannot yet cross-compile ldapdns. if you want to do this, figure out
how, edit the debian/* and send me your changes.

you cannot yet configure ldapdns. see the remainder of the configuration
guide, OR hack this stuff into the debian/* tree.

I want to thank checkinstall/installwatch for teaching me more about
debian packages than the official debian maintainers faq :)

so, you want to install via rpm?

it seems odd, but installing via RPM is not for the feint of heart; it's
less safe, and some features are disabled. this may (will) change in the
future, but if you want to try it, do this:


# cp ldapdns.tgz ldapdns-2.00e.tar.gz
# rpm -ta ldapdns-2.07e.tar.gz
# cp /usr/src/redhat/RPMS/i386/ldapdns-2.07e*.i386.rpm .
# cp /usr/src/redhat/SRPMS/ldapdns-2.07e*.src.rpm .

(obviously, if you're building on an alpha, you'll want to do 'alpha' instead
of 'i386' above.)

the advantages of using RPM are many, but i don't use an rpm-based
system, so you'll need to help me out.