xref: /dports/dns/ldapdns/ldapdns-2.07/README.configure

To configure LDAPDNS, you will need some kind of LDAP browser, or my
administration scripts. See README.admin for details on those. This
document describes the real deal :)

ldapdns supports _THREE_ different schemas. If you're using Microsoft
Active Directory, or BIND+LDAP, then this document will not help you.
I'm afraid I haven't written much documentation on these things yet, but
by poking around the FAQ, you may be able to get them working.

ldapdns DOES SUPPORT AXFR: see INSTALL or README for details about it.

ldapdns looks up DNS records in an LDAP directory. domains and zones are
split onto a string of domainComponent (dc) objects, and use attributes
to resource records on a dnsDomain object.

ldapdns walks the tree up and down, first up to find SOA/NS records (it
won't serve a request unless it has found an SOA/NS record somewhere in
a domain's rootsor in the domain itself; e.g. www.nimh.org doesn't
require an SOA/NS if nimh.org has one)

the second pass is to find wildcards:
        dc=www, dc=nimh, dc=org, [suffix]
        dc=*, dc=nimh, dc=org, [suffix]
        dc=*, dc=org, [suffix]

note that ldapdns NEVER recursively resolves; it ONLY operates as a root
server. this will likely never change.

resource records (RR) are mapped to LDAP attributes:
	SOA	-- sOARecord
	NS	-- nSRecord
	A	-- aRecord
	MX	-- mXRecord
	CNAME	-- cNAMERecord
	TXT	-- description
	PTR	-- cNAMERecord or seeAlso
	*	-- photo

all "domain names" in fields must be fully qualified: you may leave off
the trailing dot. If you don't like this, search the FAQ for
RELATIVE_NAMES

aRecord
	this can be in one of the following forms:
		a.b.c.d
		a.b.c.d%ID
		A.B.C.D/CIDR=a.b.c.d
		A.B.C.D/E.F.G.H=a.b.c.d
	the last three forms are for implementing "split-horizon" DNS, and
	can be useful if you want to serve a different address based on the
	connecting client.

	"split-horizon" has not yet been well documented. see the FAQ for
	more details.

sOARecord
	this is 5 numbers seperated by whitespace.
	serial refresh retry expire minimum

	the defaults are:
	nnn 3600 900 36000000 3600

	where 'nnn' is the last-modified time of the DN.

	this attribute has side-effects: If you start this with an asterisk,
	this field will disable the entire zone.

	note that under LDAPDNS you DO NOT NEED sOAReocrds! they can be
	emulated- but note you WILL need nSRecords....

nSRecord
	this is a domain name.
	it can also be a single @ which allows you to use the domains
	specified in the environment variables $NS and $NSx (NS1, NS2, etc)

	this specifies where a zone is.

	if you create an nSRecord without ANY OTHER RECORDS, LDAPDNS will
	treat this as a referral, and refer caching DNS proxies to the real
	server. (clearing the AD bit)

mXRecord
	this is a preference, followed by whitespace, followed by a name.
	this works exactly like "real MX records"

	LDAPDNS will attempt to resolve these names if they are local,
	placing the results in the ADDITIONAL section. This is useful for
	caches.

cNAMERecord
	this is a domain name.

	in the in-addr.arpa. tree, these return PTR records _unless_ the
	target is outside of the directory OR retargets the in-addr.arpa.
	tree, in which case it returns CNAME records.

	otherwise, it returns CNAME records.

	LDAPDNS will attempt to resolve these names if they are local,
	placing the results in the ADDITIONAL section. This is useful for
	caches.

description
	this is a free-form text string.
	a hack splits this on the pipe(|) character. this is useful for
	returning multiple TXT names.

photo
	this is a "catch all" record.

	it is always in binary. the exact format lends itself to being
	compressed in DNS packets:

		0x00-0xFE	literal octet
		0xFF 0xFF	literal 0xFF octet
		0xFF 		DNS-compressed name (will be recompressed
					to safe space) follows

	this helps save space and reduce the need for TCP connections.

	this allows LDAPDNS to support _all_ RR's as efficiently as any
	other nameserver -- better still than some.