How to upgrade the bind-dyndb-ldap plug-in to version 6.0

Since Red Hat Enterprise Linux 7.1 Beta, the bind-dyndb-ldap packages have been upgraded to upstream version 6.0.

This upgrade introduces the following behavioral changes:

• Persistent search and zone refresh mechanism have been replaced by LDAP Content Synchronization Operation (SyncRepl, RFC 4533).
• Since version 6.0, the bind-dyndb-ldap plug-in is going to work only with RFC 4533-compliant LDAP servers. Please configure your LDAP sever accordingly.
• The "zone_refresh", "cache_ttl", and "psearch" options have been removed and should be dropped from /etc/named.conf or an equivalent file.

• The "idnsZoneRefresh" and "idnsPersistentSearch" LDAP attributes are no longer supported and should be removed.

  • The Start of Authority (SOA) serial auto-increment feature is now mandatory. The bind-dyndb-ldap plug-in is required to have write access to LDAP.

  • Data from LDAP are not served to clients until initial synchronization with LDAP is finished. All queries received during initial synchronization are processed as if bind-dyndb-ldap were not configured, which means that the queries can be answered with Non-Existent Domain (NXDOMAIN) or other similar answer, depending on configuration.

  • The plug-in creates journal file for each DNS zone in LDAP, which allows support for Incremental Zone Transfers (IXFR) according to RFC 1995. The working directory has to be writable by the "named" daemon. Please see the README file if you have changed the BIND and bind-dyndb-ldap default configurations.

  • The forwarder semantic has been changed to match the semantic of BIND, namely:

• The "idnsZone" objects always represent master zones.
• The "idnsForwardZone" objects now always represent forward zones.

To upgrade to bind-dyndb-ldap 6.0, follow these steps:

1. Upgrade the bind-dyndb-ldap package on all servers to the latest version provided with Red Hat Enterprise Linux 7.0. This step will help you minimize downtime because bind-dyndb-ldap-3.5, which was included in Red Hat Enterprise Linux 7.0, supports the old and new formats simultaneously.

2. Retrieve the zones stored in the old format by running the following command:

   $ ldapsearch -Y GSSAPI -b 'cn=dns, dc=ipa, dc=example' '(&(objectClass=idnsZone)(idnsForwarders=*)(!(idnsForwardPolicy=none)))' objectClass idnsName idnsZoneActive idnsForwarders idnsForwardPolicy > old_zones.ldif
   

   Change the "-Y" and "-b" parameters to be in accordance with your local configuration.

3. Change the "objectClass" attribute in the old_zones.ldif file by replacing "idnsZone" with "idnsForwardZone". Resulting LDAP Data Interchange Format (LDIF) should be in the following form:

   dn: idnsName=example.com,cn=dns,dc=ipa,dc=example
   objectClass: top
   objectClass: idnsForwardZone
   idnsName: example.com
   idnsZoneActive: TRUE
   idnsForwarders: 192.0.2.1
   idnsForwardPolicy: only
   

4. Delete old objects from LDAP.

5. Import modified objects to LDAP.

Important: Users are responsible for upgrading their own data in LDAP.

Known problems and limitations

• The LDAP rename (MODRDN) operation is not supported at the moment (bug 1139776).

• Zones and records deleted when connection to LDAP is down are not refreshed properly after reconnection (bug 1139778).