Feature: Enhancements ============ * Read-query performance is nearly same as with plain BIND and queries for non-existing records do not impose additional load on LDAP server. * Wildcard records are supported. For details please see RFC 4592. http://tools.ietf.org/html/rfc4592 * Incremental Zone Transfers (IXFR, RFC 1995) are supported. http://tools.ietf.org/html/rfc1995 * DNS root zone (".") can be stored in LDAP. * DNSSEC in-line signing is supported for master zones. Any master zone in LDAP can be signed with keys provided by user. Behavioral changes & upgrade ============================ * Forwarder semantic was changed to match BIND's semantic: - idnsZone objects always represent master zones - idnsForwardZone objects (new) always represent forward zones !!! Users are responsible for upgrading their own data in LDAP. !!! Upgrade: 1) Start with upgrading bind-dyndb-ldap package on all servers to latest version provided with RHEL 7.0. This step will help you minize downtime because bind-dyndb-ldap-3.5 supports old and new formats at the same time. 2) Retrieve zones stored in the old format: $ ldapsearch -Y GSSAPI -b 'cn=dns, dc=ipa, dc=example' '(&(objectClass=idnsZone)(idnsForwarders=*)(!(idnsForwardPolicy=none)))' objectClass idnsName idnsZoneActive idnsForwarders idnsForwardPolicy > old_zones.ldif # NOTE: parameters -Y and -b need to be tweaked according to your local configuration. # 3) Change objectClass attribute in old_zones.ldif by replacing 'idnsZone' with 'idnsForwardZone'. Resulting LDIF should have this form: dn: idnsName=example.com,cn=dns,dc=ipa,dc=example objectClass: top objectClass: idnsForwardZone idnsName: example.com idnsZoneActive: TRUE idnsForwarders: 192.0.2.1 idnsForwardPolicy: only 4) Delete old objects from LDAP. 5) Import modified objects to LDAP. http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades * Persistent search and zone refresh mechanism were replaced by RFC 4533 (aka SyncRepl). ** Options zone_refresh, cache_ttl and psearch were removed and should be droped from /etc/named.conf or equivalent file. ** Also support for LDAP attributes idnsZoneRefresh and idnsPersistentSearch was removed and these attributes should be removed from LDAP. ** From now on, the bind-dyndb-ldap plugin will work only with RFC 4533-compliant LDAP servers. Please configure your LDAP sever accordingly. * SOA serial auto-increment feature is now mandatory. The plugin has to have write access to LDAP. * Data from LDAP are not served to clients until initial synchronization with LDAP is finished. All queries received during initial synchronization are processed as if bind-dyndb-ldap were not configured, i.e. can be answered with NXDOMAIN or . * Plug-in creates journal file for each DNS zone in LDAP. (This allows us to support IXFR.) Working directory has to be writable by named. Please see README if you have tweaked BIND and bind-dyndb-ldap configurations. Bug fixes ========= * Many :-) * Most important one: Kerberos ticket expiration is now handled correctly. Known problems and limitations ============================== * LDAP MODRDN (rename) is not supported at the moment: https://bugzilla.redhat.com/show_bug.cgi?id=1139776 * Zones and records deleted when connection to LDAP is down are not refreshed properly after re-connection: https://bugzilla.redhat.com/show_bug.cgi?id=1139778 Reason: We wanted to provide new features. Result: New features are available :-)