95dc3d
diff --git a/Makefile.am b/Makefile.am
95dc3d
index f5ff369..31ba5d6 100644
95dc3d
--- a/Makefile.am
95dc3d
+++ b/Makefile.am
95dc3d
@@ -2,4 +2,4 @@ ACLOCAL_AMFLAGS = -I m4
95dc3d
 
95dc3d
 SUBDIRS = doc src
95dc3d
 
95dc3d
-doc_DATA = README NEWS
95dc3d
+dist_doc_DATA = README.md NEWS COPYING
95dc3d
diff --git a/NEWS b/NEWS
95dc3d
index 12aa18a..8fac0dd 100644
95dc3d
--- a/NEWS
95dc3d
+++ b/NEWS
95dc3d
@@ -1,3 +1,14 @@
95dc3d
+11.0
95dc3d
+====
95dc3d
+[1] The plugin was ported to BIND 9.11. Minimal BIND version is now 9.11.0rc1.
95dc3d
+    https://fedorahosted.org/bind-dyndb-ldap/ticket/161
95dc3d
+
95dc3d
+[2] Configuration format in named.conf is different
95dc3d
+    and incompatible with all previous versions. Please see README.md.
95dc3d
+
95dc3d
+[3] Obsolete plugin options were removed:
95dc3d
+    cache_ttl, psearch, serial_autoincrement, zone_refresh.
95dc3d
+
95dc3d
 10.1
95dc3d
 ====
95dc3d
 [1] Prevent crash while reloading previously invalid but now valid DNS zone.
95dc3d
diff --git a/README b/README
95dc3d
deleted file mode 100644
95dc3d
index 2fd09b5..0000000
95dc3d
--- a/README
95dc3d
+++ /dev/null
95dc3d
@@ -1,539 +0,0 @@
95dc3d
-1. Introduction
95dc3d
-===============
95dc3d
-
95dc3d
-The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP
95dc3d
-database back-end capabilities. For now, it requires that BIND is patched
95dc3d
-to support dynamic loading of database back-ends. You can get a patch
95dc3d
-for your version here:
95dc3d
-
95dc3d
-  https://github.com/pspacek/bind-dynamic_db
95dc3d
-
95dc3d
-Hopefully, the patch will once be included in the official BIND release.
95dc3d
-
95dc3d
-BIND >= 9.9.0 is required.
95dc3d
-
95dc3d
-2. Features
95dc3d
-===========
95dc3d
-
95dc3d
-* support for dynamic updates
95dc3d
-* SASL authentication
95dc3d
-* SyncRepl (RFC 4533) for run-time synchronization with LDAP server
95dc3d
-* read-query performance nearly same as with plain BIND
95dc3d
-* AXFR and IXFR zone transfers are supported
95dc3d
-* DNSSEC in-line signing is supported, including dynamic updates
95dc3d
-
95dc3d
-
95dc3d
-3. Installation
95dc3d
-===============
95dc3d
-
95dc3d
-To install the LDAP back-end, extract the tarball and go to the unpacked
95dc3d
-directory. Then follow these steps:
95dc3d
-
95dc3d
-$ ./configure --libdir=<libdir>
95dc3d
-$ make
95dc3d
-
95dc3d
-Where <libdir> is a directory where your libdns is installed. This is
95dc3d
-typically going to be /usr/lib or /usr/lib64 on 64 bit systems.
95dc3d
-
95dc3d
-If configure script complains that it "Can't obtain libdns version",
95dc3d
-please verify you have installed bind development files (package bind9-dev
95dc3d
-or bind-devel) and you exported correct CPPFLAGS via
95dc3d
-"export CPPFLAGS=`isc-config.sh --cflags`" command.
95dc3d
-
95dc3d
-Then, to install, run this as root:
95dc3d
-# make install
95dc3d
-
95dc3d
-This will install the file ldap.so into the <libdir>/bind/ directory.
95dc3d
-
95dc3d
-Alternatively, the latest version can be obtained from Git repository.
95dc3d
-You can use following commands to prepare latest source tree for compilation:
95dc3d
-
95dc3d
-$ git clone https://git.fedorahosted.org/git/bind-dyndb-ldap.git
95dc3d
-$ cd bind-dyndb-ldap
95dc3d
-$ autoreconf -fvi
95dc3d
-
95dc3d
-4. LDAP schema
95dc3d
-==============
95dc3d
-
95dc3d
-You can find the complete LDAP schema in the documentation directory. An
95dc3d
-example zone ldif is available in the doc directory.
95dc3d
-
95dc3d
-4.1 Master zone (idnsZone)
95dc3d
---------------------------
95dc3d
-Object class idnsZone is equivalent to type "master" statement in named.conf.
95dc3d
-
95dc3d
-Attributes:
95dc3d
-* idnsAllowDynUpdate
95dc3d
-	Allow dynamic update of records in this zone. If attribute doesn't exist,
95dc3d
-	value "dyn_update" from plugin configuration will be used.
95dc3d
-
95dc3d
-* idnsAllowQuery
95dc3d
-	Specifies BIND9 zone ACL element as one string.
95dc3d
-
95dc3d
-	Example 1:      idnsAllowQuery: 192.0.2.1;
95dc3d
-	In the first example above, only the client with 192.0.2.1 IP address
95dc3d
-	is allowed to query records from the zone.
95dc3d
-
95dc3d
-	Example 2:      idnsAllowQuery: !192.0.2.33; 192.0.2.0/24;
95dc3d
-	In the second example, queries from client 192.0.2.33 are refused
95dc3d
-	but queries from all other clients in the 192.0.2.0/24 network
95dc3d
-	are allowed.
95dc3d
-
95dc3d
-	You can specify IPv4/IPv6 address, IPv4/IPv6 network address in CIDR
95dc3d
-	format, and "any" or "none" keywords. The "!" prefix (for example
95dc3d
-	!192.0.2.33) means negation of the ACL element.
95dc3d
-
95dc3d
-	If not set, then zone inherits global allow-query from named.conf.
95dc3d
-
95dc3d
-* idnsAllowTransfer
95dc3d
-	Uses same format as idnsAllowQuery. Allows zone transfers for matching
95dc3d
-	clients.
95dc3d
-
95dc3d
-	If not set then zone inherits global allow-transfer from named.conf.
95dc3d
-
95dc3d
-* idnsAllowSyncPTR
95dc3d
-	Allow synchronization of A/AAAA records in zone with PTR records in reverse
95dc3d
-	zone. Reverse zone must have Dynamic update allowed. 
95dc3d
-	(See idnsAllowDynUpdate attribute and dyn_update configuration parameter.)
95dc3d
-
95dc3d
-* idnsForwardPolicy (default "first")
95dc3d
-	Specifies BIND9 zone forward policy. Proprietary value "none"
95dc3d
-	is equivalent to "forwarders {};" in BIND configuration,
95dc3d
-	i.e. effectively disables forwarding and ignores idnsForwarders
95dc3d
-	attribute.
95dc3d
-
95dc3d
-	Values "first" and "only" are relevant in conjunction with a valid
95dc3d
-	idnsForwarders attribute. Their meaning is same as in BIND9.
95dc3d
-
95dc3d
-* idnsForwarders
95dc3d
-	Defines multiple IP addresses to which recursive queries will be
95dc3d
-	forwarded. This is equivalent to "forwarders" statement in "master"
95dc3d
-	zone configuration.
95dc3d
-
95dc3d
-	I.e. local BIND replies authoritatively to queries when possible
95dc3d
-	(including authoritative NXDOMAIN answers) so forwarding affects only
95dc3d
-	queries made by BIND to answer recursive queries which cannot be
95dc3d
-	answered locally. Please see
95dc3d
-	https://lists.isc.org/pipermail/bind-users/2006-January/060810.html
95dc3d
-	https://lists.isc.org/pipermail/bind-users/2011-March/083244.html
95dc3d
-
95dc3d
-	It is multi-value attribute: Each IP address (and optional port) has to
95dc3d
-	be in own value. BIND9 syntax for "forwarders" is required.
95dc3d
-	Optional port can be specified by adding " port <number>" after IP 
95dc3d
-	address. IPv4 and IPv6 addresses are supported.
95dc3d
-	Examples: "1.2.3.4" or "1.2.3.4 port 553" or "A::B" or "A::B port 553"
95dc3d
-
95dc3d
-* idnsName
95dc3d
-	Absolute name of DNS zone. It is recommended to use names with trailing
95dc3d
-	period, e.g. "example.com."
95dc3d
-
95dc3d
-* idnsSecInlineSigning (default FALSE)
95dc3d
-	DNSSEC in-line signing configuration. Value TRUE is equivalent to
95dc3d
-	following zone configuration in named.conf (default BIND values):
95dc3d
-
95dc3d
-	auto-dnssec maintain;
95dc3d
-	sig-validity-interval 2592000; # 30 days
95dc3d
-	# re-sign interval will be 648000 seconds = 7.5 days
95dc3d
-	sig-signing-signatures 10;
95dc3d
-	sig-signing-nodes 10;
95dc3d
-	sig-signing-type 65534;
95dc3d
-	update-check-ksk yes;
95dc3d
-	dnssec-loadkeys-interval 60;   # minutes
95dc3d
-	key-directory "<plugin-instance-dir>/<zone-name>/keys";
95dc3d
-
95dc3d
-	There is no way to change those values at this moment.
95dc3d
-
95dc3d
-* idnsSOAserial
95dc3d
-	SOA serial number. It is automatically incremented after each change
95dc3d
-	in LDAP. External changes done by other LDAP clients are detected via
95dc3d
-	RFC 4533 (so-called syncrepl).
95dc3d
-
95dc3d
-	If serial number is lower than current UNIX timestamp, then
95dc3d
-	it is set to the timestamp value. If SOA serial is greater or equal
95dc3d
-	to current timestamp, then the serial is incremented by one.
95dc3d
-	(This is equivalent to BIND option 'serial-update-method unix'.)
95dc3d
-
95dc3d
-	In multi-master LDAP environments it is recommended to make
95dc3d
-	idnsSOAserial attribute non-replicated (locally significant).
95dc3d
-	It is recommended not to use multiple masters for single slave zone
95dc3d
-	if SOA serial is locally significant because serial numbers between
95dc3d
-	masters	aren't synchronized. It will cause problems with zone
95dc3d
-	transfers from multiple masters to single slave.
95dc3d
-
95dc3d
-* idnsZoneActive
95dc3d
-        Boolean which speicifies if particular DNS zone should be visible
95dc3d
-        to clients or not. This attribute can be changed at run-time.
95dc3d
-
95dc3d
-        Inactive zones are loaded into memory in the same way as active zones.
95dc3d
-        The only difference is that inactive zones are not added to DNS view
95dc3d
-        used by bind-dyndb-ldap.
95dc3d
-
95dc3d
-        Zone will be re-added to DNS view if idnsActiveZone attribute is
95dc3d
-        changed to TRUE so the change should be almost immediate.
95dc3d
-
95dc3d
-        Usual zone maintenance (serial number maintenance, DNSSEC in-line
95dc3d
-        signing etc.) is done for all zones, no matter if the zone
95dc3d
-        is active or not. This allows us to maintain zone journal so IXFR
95dc3d
-        works correctly even after zone re-activation.
95dc3d
-
95dc3d
-* nSEC3PARAMRecord
95dc3d
-	NSEC3PARAM resource record definition according to RFC5155.
95dc3d
-	Zone without NSEC3PARAM RR will use NSEC by default.
95dc3d
-
95dc3d
-
95dc3d
-4.2 Forward zone (idnsForwardZone)
95dc3d
-----------------------------------
95dc3d
-Object class idnsForwardZone is equivalent to type "forward" statement
95dc3d
-in named.conf.
95dc3d
-
95dc3d
-Attributes:
95dc3d
-* idnsForwarders
95dc3d
-	Defines multiple IP addresses to which all queries for sub-tree of DNS
95dc3d
-	will be forwarded. This is equivalent to "forwarders" statement in
95dc3d
-	"forward" zone configuration.
95dc3d
-
95dc3d
-	It is multi-value attribute: Each IP address (and optional port) has to
95dc3d
-	be in own value. BIND9 syntax for "forwarders" is required.
95dc3d
-	Optional port can be specified by adding " port <number>" after IP 
95dc3d
-	address. IPv4 and IPv6 addresses are supported.
95dc3d
-	Examples: "1.2.3.4" or "1.2.3.4 port 553" or "A::B" or "A::B port 553"
95dc3d
-
95dc3d
-* idnsForwardPolicy (default "first")
95dc3d
-	Specifies BIND9 zone forward policy. Proprietary value "none"
95dc3d
-	is equivalent to "forwarders {};" in BIND configuration,
95dc3d
-	i.e. effectively disables forwarding and ignores idnsForwarders
95dc3d
-	attribute.
95dc3d
-
95dc3d
-	Values "first" and "only" are relevant in conjunction with a valid
95dc3d
-	idnsForwarders attribute. Their meaning is same as in BIND9.
95dc3d
-
95dc3d
-* idnsName
95dc3d
-	Absolute name of DNS zone. It is recommended to use names with trailing
95dc3d
-	period, e.g. "example.com."
95dc3d
-
95dc3d
-Forward zones may conflict with automatic empty zones (defined in RFC 6303)
95dc3d
-because empty zones are authoritative and thus have higher priority
95dc3d
-than forwarding.
95dc3d
-Bind-dyndb-ldap will automatically unload empty zones which are super/sub
95dc3d
-domains of a forward zones if the forwarding policy is "only".
95dc3d
-A warning will be issued (and zone not unloaded) if the policy is "first"
95dc3d
-because this policy does not guarantee that queries will not leak to
95dc3d
-the public Internet.
95dc3d
-
95dc3d
-Unloaded empty zones will not be loaded back even if the forward zone is later
95dc3d
-deleted. The empty zones will be loaded on each BIND reload.
95dc3d
-
95dc3d
-
95dc3d
-4.3 Global configuration object (idnsConfigObject)
95dc3d
---------------------------------------------------
95dc3d
-Object class idnsConfigObject provides global configuration common
95dc3d
-for all zones.
95dc3d
-
95dc3d
-Attributes:
95dc3d
-* idnsAllowSyncPTR
95dc3d
-	Semantics is equivalent to "sync_ptr" option described in plugin's
95dc3d
-	config and to idnsAllowSyncPTR attribute in idnsZone.
95dc3d
-
95dc3d
-* idnsForwarders
95dc3d
-* idnsForwardPolicy
95dc3d
-	Semantics is equivalent to "forward" statement in named.conf.
95dc3d
-	Syntax is the same as in forward zone, please see previous section.
95dc3d
-
95dc3d
-
95dc3d
-4.4 Per-server configuration object (idnsServerConfigObject)
95dc3d
-------------------------------------------------------------
95dc3d
-Object class idnsConfigObject provides global configuration common
95dc3d
-for all zones. A plugin instance will read configuration
95dc3d
-only from entries with matching idnsServerId.
95dc3d
-
95dc3d
-Attributes:
95dc3d
-* idnsServerId
95dc3d
-	Configuration identifier (arbitrary string).
95dc3d
-	A plugin instance will use only objects whose idnsServerId value
95dc3d
-	matches server_id value in plugin's config.
95dc3d
-
95dc3d
-* idnsForwarders
95dc3d
-* idnsForwardPolicy
95dc3d
-	Same meaning as in global configuration object (idnsConfigObject).
95dc3d
-
95dc3d
-* idnsSOAmName
95dc3d
-	Equivalent to fake_mname option in plugin's config.
95dc3d
-
95dc3d
-* idnsSubstitutionVariable
95dc3d
-	This attribute associates string value with user-defined name.
95dc3d
-	These named variables can be used later in record template processing.
95dc3d
-	Variable name is specified as LDAP sub-type. (The attribute cannot be
95dc3d
-	used without sub-type. Exactly one instance of each sub-type
95dc3d
-	is required.)
95dc3d
-	For further information please see
95dc3d
-	https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator
95dc3d
-
95dc3d
-	LIMITATION: Current plugin version supports only "ipalocation" variable
95dc3d
-
95dc3d
-
95dc3d
-4.5 Record template (idnsTemplateObject)
95dc3d
-----------------------------------------
95dc3d
-Object class idnsTemplateObject provides facility for dynamic resource record
95dc3d
-generation. The template entry must contain idnsTemplateAttribute with
95dc3d
-string template.
95dc3d
-
95dc3d
-Optionally the same entry can contain statically defined resource records
95dc3d
-in *Record attributes. All statically defined record values are ignored
95dc3d
-when template is present and substitution into template is successful.
95dc3d
-The substitution is successful only if all variables used
95dc3d
-by the template string are defined.
95dc3d
-
95dc3d
-Attributes:
95dc3d
-* idnsTemplateAttribute
95dc3d
-	String subtitution template. All occurrences of \{variable_name\}
95dc3d
-	are replaced with respective strings from plugin configuration.
95dc3d
-	Remaining parts of the original string are just copied into the output.
95dc3d
-
95dc3d
-	Double-escaped strings \\{ \\} do not trigger substitution.
95dc3d
-	Nested references will expand only innermost variable: \{\{var1\}\}
95dc3d
-	Non-matching parentheses and other garbage will be copied verbatim
95dc3d
-	without triggering an error.
95dc3d
-
95dc3d
-	Resulting resource record type is specified as LDAP sub-type.
95dc3d
-	(The attribute cannot be used without sub-type.
95dc3d
-	Exactly one instance of each sub-type is required.)
95dc3d
-
95dc3d
-	Example - LDIF snippet:
95dc3d
-		idnsSubstitutionVariable;ipalocation: brno
95dc3d
-		idnsTemplateAttribute;CNAMERecord: server.\{substitutionvariable_ipalocation\}
95dc3d
-		will generate CNAME record: server.brno
95dc3d
-	For further information please see
95dc3d
-	https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator
95dc3d
-
95dc3d
-
95dc3d
-5. Configuration
95dc3d
-================
95dc3d
-
95dc3d
-To configure dynamic loading of back-end, you must put a "dynamic-db"
95dc3d
-clause into your named.conf. The clause must then be followed by a
95dc3d
-string denoting the name. The name is not that much important, it is
95dc3d
-passed to the plug-in and might be used for example, for logging
95dc3d
-purposes. Following after that is a set of options enclosed between
95dc3d
-curly brackets.
95dc3d
-
95dc3d
-The most important option here is "library". It names a shared object
95dc3d
-file that will be opened and loaded. The "arg" option specifies a string
95dc3d
-that is passed directly to the plugin. You can specify multiple "arg"
95dc3d
-options. The LDAP back-end follows the convention that the first word of
95dc3d
-this string is the name of the setting and the rest is the value.
95dc3d
-
95dc3d
-
95dc3d
-5.1 Configuration options
95dc3d
--------------------------
95dc3d
-List of configuration options follows:
95dc3d
-
95dc3d
-5.1.1 LDAP connection
95dc3d
----------------------
95dc3d
-uri
95dc3d
-	The Uniform Resource Identifier pointing to the LDAP server we
95dc3d
-	wish to connect to. This string is directly passed to the
95dc3d
-	ldap_initialize(3) function. This option is mandatory.
95dc3d
-	Example: ldap://ldap.example.com
95dc3d
-
95dc3d
-connections (default 2)
95dc3d
-	Number of connections the LDAP driver should try to establish to
95dc3d
-	the LDAP server. It's best if this matches the number of threads
95dc3d
-	BIND creates, for performance reasons. However, your LDAP server
95dc3d
-	configuration might only allow certain number of connections per
95dc3d
-	client.
95dc3d
-
95dc3d
-base
95dc3d
-	This is the search base that will be used by the LDAP back-end
95dc3d
-	to search for DNS zones. It is mandatory.
95dc3d
-
95dc3d
-auth_method (default "none")
95dc3d
-	The method used to authenticate to the LDAP server. Currently
95dc3d
-	supported methods are "none", "simple" and "sasl". The none
95dc3d
-	method is effectively a simple authentication without password.
95dc3d
-
95dc3d
-bind_dn (default "")
95dc3d
-	Distinguished Name used to bind to the LDAP server. If this is
95dc3d
-	empty and the auth_method is set to "simple", the LDAP back-end
95dc3d
-	will fall-back and use the "none" authentication method.
95dc3d
-
95dc3d
-password (default "")
95dc3d
-	Password for simple and SASL authentication. If the authentication
95dc3d
-	method is set to "simple" and the password is empty, the LDAP
95dc3d
-	driver will fall-back to the "none" authentication method.
95dc3d
-
95dc3d
-sasl_mech (default "GSSAPI")
95dc3d
-	Name of the SASL mechanism to be used for negotiation.
95dc3d
-
95dc3d
-sasl_auth_name
95dc3d
-	The user name to be used for SASL authentication.
95dc3d
-
95dc3d
-sasl_user
95dc3d
-	The user name to be used for SASL proxy authorization.
95dc3d
-
95dc3d
-sasl_password
95dc3d
-	The password to use for the SASL authentication.
95dc3d
-
95dc3d
-sasl_realm
95dc3d
-	The SASL realm name.
95dc3d
-
95dc3d
-krb5_keytab
95dc3d
-	Path to the kerberos keytab containing service credentials to be used
95dc3d
-	for SASL authentication. Append the "FILE:" prefix to the file path.
95dc3d
-	(FILE:/etc/named.keytab, for example)
95dc3d
-
95dc3d
-krb5_principal
95dc3d
-	Kerberos principal of the service, used for SASL authentication.
95dc3d
-	If not set then it is copied from "sasl_user" option. Principal
95dc3d
-	is loaded from file specified in "krb5_keytab" option.
95dc3d
-
95dc3d
-timeout (default 10)
95dc3d
-	Timeout (in seconds) of the queries to the LDAP server. If the LDAP
95dc3d
-	server don't respond before this timeout then lookup is aborted and
95dc3d
-	BIND returns SERVFAIL. Value "0" means infinite timeout (no timeout).
95dc3d
-
95dc3d
-reconnect_interval (default 60)
95dc3d
-	Time (in seconds) after that the plugin should try to connect to LDAP 
95dc3d
-	server again in case connection is lost and immediate reconnection 
95dc3d
-	fails.
95dc3d
-
95dc3d
-ldap_hostname (default "")
95dc3d
-	Sets hostname of the LDAP server. When it is set to "", actual
95dc3d
-	/bin/hostname is used. Please prefer "uri" option, this option should be
95dc3d
-	used only in special cases, for example when GSSAPI authentication
95dc3d
-	is used and named service has Kerberos principal different from
95dc3d
-	/bin/hostname output.
95dc3d
-
95dc3d
-
95dc3d
-5.1.2 Special DNS features
95dc3d
---------------------------
95dc3d
-fake_mname (default "")
95dc3d
-	Ignore value of the idnsSOAmName (primary master DNS name) attribute
95dc3d
-	and use this value instead. This allows multiple BIND processes to share
95dc3d
-	one LDAP database and every BIND reports itself as a primary master in
95dc3d
-	SOA record, for example.
95dc3d
-
95dc3d
-sync_ptr (default no)
95dc3d
-	Set this option to "yes" if you would like to keep PTR record 
95dc3d
-	synchronized with coresponding A/AAAA record for all zones.
95dc3d
-	If this option is set to "no", the LDAP driver will check
95dc3d
-	the idnsAllowSyncPTR attribute which specifies the synchronization
95dc3d
-	policy for PTR records in a zone. When an A/AAAA record is deleted 
95dc3d
-	the PTR record must point to the same hostname. 
95dc3d
-	
95dc3d
-dyn_update (default no)
95dc3d
-	Set this option to "yes" if you would like to allow dynamic zone updates.
95dc3d
-	This setting can be overridden for each zone individually
95dc3d
-	by idnsAllowDynUpdate attribute.
95dc3d
-
95dc3d
-
95dc3d
-5.1.3 Plumbing
95dc3d
---------------
95dc3d
-verbose_checks (default no)
95dc3d
-	Set this option to "yes" if you would like to log all failures
95dc3d
-	in internal CHECK() macros. This option is recommended only for
95dc3d
-	debugging purposes. It could produce huge amount of log messages
95dc3d
-	on a loaded system!
95dc3d
-
95dc3d
-directory (default is
95dc3d
-           "dyndb-ldap/<current instance name from dynamic-db directive>")
95dc3d
-	Specifies working directory for plug-in. The path has to be writeable
95dc3d
-	by named because plug-in will create sub-directory for each zone.
95dc3d
-	These sub-directories will contain temporary files like zone dump, zone
95dc3d
-	journal, zone keys etc.
95dc3d
-	The path is relative to "directory" specified in BIND options.
95dc3d
-	See section 6 (DNSSEC) for examples.
95dc3d
-
95dc3d
-5.2 Sample configuration
95dc3d
-------------------------
95dc3d
-Let's take a look at a sample configuration:
95dc3d
-
95dc3d
-options {
95dc3d
-	directory "/var/named/";
95dc3d
-};
95dc3d
-
95dc3d
-dynamic-db "my_db_name" {
95dc3d
-	library "ldap.so";
95dc3d
-	arg "uri ldap://ldap.example.com";
95dc3d
-	arg "base cn=dns, dc=example, dc=com";
95dc3d
-	arg "auth_method none";
95dc3d
-};
95dc3d
-
95dc3d
-With this configuration, the LDAP back-end will try to connect to server
95dc3d
-ldap.example.com with simple authentication, without any password. It
95dc3d
-will then use RFC 4533 refresh&persist search in the "cn=dns,dc=example,dc=com"
95dc3d
-base for entries with object class idnsZone and idnsRecord.
95dc3d
-For each idnsZone entry it will find, it will register a new zone with BIND.
95dc3d
-For each idnsRecord entry it will create domain name in particular zone.
95dc3d
-The LDAP back-end will keep each record it gets from LDAP in its memory.
95dc3d
-
95dc3d
-Working directory for the plug-in will be "/var/named/dyndb-ldap/my_db_name/",
95dc3d
-so hypothetical zone "example.com" will use sub-directory
95dc3d
-"/var/named/dyndb-ldap/my_db_name/master/example.com/".
95dc3d
-
95dc3d
-5.3 Configuration in LDAP
95dc3d
--------------------------
95dc3d
-Some options can be configured in LDAP as idnsConfigObject attributes.
95dc3d
-Value configured in LDAP has priority over value in configuration file.
95dc3d
-(This behavior will change in future versions!)
95dc3d
-
95dc3d
-Following options are supported (option = attribute equivalent):
95dc3d
-
95dc3d
-forwarders = idnsForwarders (BIND native option)
95dc3d
-forward = idnsForwardPolicy (BIND native option)
95dc3d
-sync_ptr = idnsAllowSyncPTR
95dc3d
-
95dc3d
-Forward policy option cannot be set without setting forwarders at the same time.
95dc3d
-
95dc3d
-
95dc3d
-6. DNSSEC support
95dc3d
-=================
95dc3d
-
95dc3d
-In-line signing support in this plugin allows to use this BIND feature
95dc3d
-for zones in LDAP.
95dc3d
-
95dc3d
-Signatures are automatically generated by plugin during zone loading
95dc3d
-and signatures are never written back to LDAP. DNSKEY, RRSIG, NSEC and NSEC3
95dc3d
-records in LDAP are ignored because they are automatically managed by BIND.
95dc3d
-
95dc3d
-NSEC3 can be enabled by writting NSEC3PARAM RR to particular zone object
95dc3d
-in LDAP.
95dc3d
-
95dc3d
-Dynamic updates made to in-line signed zones are written back to LDAP as usual
95dc3d
-and respective signatures are automatically re-generated as necessary.
95dc3d
-
95dc3d
-Key management has to be handled by user, i.e. user has to
95dc3d
-generate/delete keys and configure key timestamps as appropriate.
95dc3d
-
95dc3d
-Key directory for particular DNS zone is automatically configured to value:
95dc3d
-<plugin-instance-dir>/master/<zone-name>/keys
95dc3d
-
95dc3d
-<plugin-instance-dir> is described in section 5.1.3 of this file.
95dc3d
-<zone-name> is (transformed) textual representation of zone name without
95dc3d
-trailing period.
95dc3d
-
95dc3d
-Zone name will be automatically transformed before usage:
95dc3d
-- root zone is translated to '@' to prevent collision with filesystem '.'
95dc3d
-- digits, hyphen and underscore are left intact
95dc3d
-- letters of English alphabet are downcased
95dc3d
-- all other characters are escaped using %ASCII_HEX form, e.g. '/' => '%2F'
95dc3d
-- final dot is omited
95dc3d
-- labels are separated with '.'
95dc3d
-
95dc3d
-Example:
95dc3d
-* BIND directory: "/var/named"
95dc3d
-* bind-dyndb-ldap directory: "dyndb-ldap"
95dc3d
-* LDAP instance name: "ipa"
95dc3d
-* DNS zone: "example.com."
95dc3d
-* Resulting keys directory: "/var/named/dyndb-ldap/ipa/master/example.com/keys"
95dc3d
-
95dc3d
-* DNS zone: "TEST.0/1.a."
95dc3d
-* Resulting keys directory: "/var/named/dyndb-ldap/ipa/master/test.0%2F1.a/keys"
95dc3d
-
95dc3d
-Make sure that keys directory and files is readable by user used for BIND.
95dc3d
-
95dc3d
-
95dc3d
-7. License
95dc3d
-==========
95dc3d
-
95dc3d
-This package is licensed under the GNU General Public License, version 2
95dc3d
-only. See file COPYING for more information.
95dc3d
diff --git a/README.md b/README.md
95dc3d
new file mode 100644
95dc3d
index 0000000..de9cd1f
95dc3d
--- /dev/null
95dc3d
+++ b/README.md
95dc3d
@@ -0,0 +1,591 @@
95dc3d
+1. Introduction
95dc3d
+===============
95dc3d
+The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP
95dc3d
+database back-end capabilities. It requires dyndb interface which is present
95dc3d
+in BIND versions >= 9.11.0rc1.
95dc3d
+
95dc3d
+
95dc3d
+2. Features
95dc3d
+===========
95dc3d
+
95dc3d
+* support for dynamic updates
95dc3d
+* SASL authentication
95dc3d
+* SyncRepl (RFC 4533) for run-time synchronization with LDAP server
95dc3d
+* read-query performance nearly same as with plain BIND
95dc3d
+* AXFR and IXFR zone transfers are supported
95dc3d
+* DNSSEC in-line signing is supported, including dynamic updates
95dc3d
+
95dc3d
+
95dc3d
+3. Installation
95dc3d
+===============
95dc3d
+
95dc3d
+To install the LDAP back-end, extract the tarball and go to the unpacked
95dc3d
+directory. Then follow these steps:
95dc3d
+
95dc3d
+	$ ./configure --libdir=<libdir>
95dc3d
+	$ make
95dc3d
+
95dc3d
+Where `<libdir>` is a directory where your libdns is installed. This is
95dc3d
+typically going to be `/usr/lib` or `/usr/lib64` on 64 bit systems.
95dc3d
+
95dc3d
+If configure script complains that it `Can't obtain libdns version`,
95dc3d
+please verify you have installed bind development files (package bind9-dev
95dc3d
+or bind-devel) and you exported correct CPPFLAGS via
95dc3d
+
95dc3d
+	$ export CPPFLAGS=`isc-config.sh --cflags`
95dc3d
+
95dc3d
+Then, to install, run this as root:
95dc3d
+
95dc3d
+	$ make install
95dc3d
+
95dc3d
+This will install the file `ldap.so` into the `<libdir>/bind/` directory.
95dc3d
+
95dc3d
+Alternatively, the latest version can be obtained from Git repository.
95dc3d
+You can use following commands to prepare latest source tree for compilation:
95dc3d
+
95dc3d
+	$ git clone https://git.fedorahosted.org/git/bind-dyndb-ldap.git
95dc3d
+	$ cd bind-dyndb-ldap
95dc3d
+	$ autoreconf -fvi
95dc3d
+
95dc3d
+4. LDAP schema
95dc3d
+==============
95dc3d
+
95dc3d
+You can find the complete LDAP schema in the documentation directory. An
95dc3d
+example zone ldif is available in the doc directory.
95dc3d
+
95dc3d
+4.1 Master zone (idnsZone)
95dc3d
+--------------------------
95dc3d
+Object class `idnsZone` is equivalent to type `master` statement in `named.conf`.
95dc3d
+
95dc3d
+### Attributes
95dc3d
+* idnsAllowDynUpdate
95dc3d
+
95dc3d
+	Allow dynamic update of records in this zone. If attribute doesn't exist,
95dc3d
+	value `dyn_update` from plugin configuration will be used.
95dc3d
+
95dc3d
+* idnsAllowQuery
95dc3d
+
95dc3d
+	Specifies BIND9 zone ACL element as one string.
95dc3d
+
95dc3d
+	* Example 1: `idnsAllowQuery: 192.0.2.1;`
95dc3d
+	
95dc3d
+		In the first example above, only the client with 192.0.2.1
95dc3d
+		IP address is allowed to query records from the zone.
95dc3d
+
95dc3d
+	* Example 2: `idnsAllowQuery: !192.0.2.33; 192.0.2.0/24;`
95dc3d
+	
95dc3d
+		In the second example, queries from client 192.0.2.33
95dc3d
+		are refused but queries from all other clients in
95dc3d
+		the 192.0.2.0/24 network are allowed.
95dc3d
+
95dc3d
+	You can specify IPv4/IPv6 address, IPv4/IPv6 network address in CIDR
95dc3d
+	format, and `any` or `none` keywords. The `!` prefix (for example
95dc3d
+	`!192.0.2.33`) means negation of the ACL element.
95dc3d
+
95dc3d
+	If not set, then zone inherits global allow-query from named.conf.
95dc3d
+
95dc3d
+* idnsAllowTransfer
95dc3d
+
95dc3d
+	Uses same format as `idnsAllowQuery`. Allows zone transfers for matching
95dc3d
+	clients.
95dc3d
+
95dc3d
+	If not set then zone inherits global allow-transfer from named.conf.
95dc3d
+
95dc3d
+* idnsAllowSyncPTR
95dc3d
+
95dc3d
+	Allow synchronization of A/AAAA records in zone with PTR records in reverse
95dc3d
+	zone. Reverse zone must have Dynamic update allowed. 
95dc3d
+	(See `idnsAllowDynUpdate` attribute and `dyn_update` configuration parameter.)
95dc3d
+
95dc3d
+* idnsForwardPolicy (default `first`)
95dc3d
+
95dc3d
+	Specifies BIND9 zone forward policy. Proprietary value `none`
95dc3d
+	is equivalent to `forwarders {};` in BIND configuration,
95dc3d
+	i.e. effectively disables forwarding and ignores `idnsForwarders`
95dc3d
+	attribute.
95dc3d
+
95dc3d
+	Values `first` and `only` are relevant in conjunction with a valid
95dc3d
+	idnsForwarders attribute. Their meaning is same as in BIND9.
95dc3d
+
95dc3d
+* idnsForwarders
95dc3d
+
95dc3d
+	Defines multiple IP addresses to which recursive queries will be
95dc3d
+	forwarded. This is equivalent to `forwarders` statement in `master`
95dc3d
+	zone configuration.
95dc3d
+
95dc3d
+	I.e. local BIND replies authoritatively to queries when possible
95dc3d
+	(including authoritative NXDOMAIN answers) so forwarding affects only
95dc3d
+	queries made by BIND to answer recursive queries which cannot be
95dc3d
+	answered locally. Please see
95dc3d
+	https://lists.isc.org/pipermail/bind-users/2006-January/060810.html
95dc3d
+	https://lists.isc.org/pipermail/bind-users/2011-March/083244.html
95dc3d
+
95dc3d
+	It is multi-value attribute: Each IP address (and optional port) has to
95dc3d
+	be in own value. BIND9 syntax for `forwarders` is required.
95dc3d
+	Optional port can be specified by adding ` port <number>` after IP 
95dc3d
+	address. IPv4 and IPv6 addresses are supported.
95dc3d
+	Examples:
95dc3d
+	* `1.2.3.4`
95dc3d
+	* `1.2.3.4 port 553`
95dc3d
+	* `A::B`
95dc3d
+	* `A::B port 553`
95dc3d
+
95dc3d
+* idnsName
95dc3d
+
95dc3d
+	Absolute name of DNS zone. It is recommended to use names with trailing
95dc3d
+	period, e.g. `example.com.`
95dc3d
+
95dc3d
+* idnsSecInlineSigning (default `FALSE`)
95dc3d
+
95dc3d
+	DNSSEC in-line signing configuration. Value TRUE is equivalent to
95dc3d
+	following zone configuration in named.conf (default BIND values):
95dc3d
+
95dc3d
+		auto-dnssec maintain;
95dc3d
+		sig-validity-interval 2592000; # 30 days
95dc3d
+		# re-sign interval will be 648000 seconds = 7.5 days
95dc3d
+		sig-signing-signatures 10;
95dc3d
+		sig-signing-nodes 10;
95dc3d
+		sig-signing-type 65534;
95dc3d
+		update-check-ksk yes;
95dc3d
+		dnssec-loadkeys-interval 60;   # minutes
95dc3d
+		key-directory "<plugin-instance-dir>/<zone-name>/keys";
95dc3d
+
95dc3d
+	There is no way to change those values at this moment.
95dc3d
+
95dc3d
+* idnsSOAserial
95dc3d
+
95dc3d
+	SOA serial number. It is automatically incremented after each change
95dc3d
+	in LDAP. External changes done by other LDAP clients are detected via
95dc3d
+	RFC 4533 (so-called syncrepl).
95dc3d
+
95dc3d
+	If serial number is lower than current UNIX timestamp, then
95dc3d
+	it is set to the timestamp value. If SOA serial is greater or equal
95dc3d
+	to current timestamp, then the serial is incremented by one.
95dc3d
+	(This is equivalent to BIND option 'serial-update-method unix'.)
95dc3d
+
95dc3d
+	In multi-master LDAP environments it is recommended to make
95dc3d
+	idnsSOAserial attribute non-replicated (locally significant).
95dc3d
+	It is recommended not to use multiple masters for single slave zone
95dc3d
+	if SOA serial is locally significant because serial numbers between
95dc3d
+	masters	aren't synchronized. It will cause problems with zone
95dc3d
+	transfers from multiple masters to single slave.
95dc3d
+
95dc3d
+* idnsZoneActive
95dc3d
+
95dc3d
+	Boolean which speicifies if particular DNS zone should be visible
95dc3d
+	to clients or not. This attribute can be changed at run-time.
95dc3d
+
95dc3d
+	Inactive zones are loaded into memory in the same way as active zones.
95dc3d
+	The only difference is that inactive zones are not added to DNS view
95dc3d
+	used by bind-dyndb-ldap.
95dc3d
+
95dc3d
+	Zone will be re-added to DNS view if idnsActiveZone attribute is
95dc3d
+	changed to TRUE so the change should be almost immediate.
95dc3d
+
95dc3d
+	Usual zone maintenance (serial number maintenance, DNSSEC in-line
95dc3d
+	signing etc.) is done for all zones, no matter if the zone
95dc3d
+	is active or not. This allows us to maintain zone journal so IXFR
95dc3d
+	works correctly even after zone re-activation.
95dc3d
+
95dc3d
+* nSEC3PARAMRecord
95dc3d
+
95dc3d
+	NSEC3PARAM resource record definition according to RFC5155.
95dc3d
+	Zone without NSEC3PARAM RR will use NSEC by default.
95dc3d
+
95dc3d
+
95dc3d
+4.2 Forward zone (idnsForwardZone)
95dc3d
+----------------------------------
95dc3d
+Object class `idnsForwardZone` is equivalent to type `forward` statement
95dc3d
+in named.conf.
95dc3d
+
95dc3d
+### Attributes
95dc3d
+* idnsForwarders
95dc3d
+
95dc3d
+	Defines multiple IP addresses to which all queries for sub-tree of DNS
95dc3d
+	will be forwarded. This is equivalent to `forwarders` statement in
95dc3d
+	`forward` zone configuration.
95dc3d
+
95dc3d
+	It is multi-value attribute: Each IP address (and optional port) has to
95dc3d
+	be in own value. BIND9 syntax for `forwarders` is required.
95dc3d
+	Optional port can be specified by adding ` port <number>` after IP 
95dc3d
+	address. IPv4 and IPv6 addresses are supported.
95dc3d
+	Examples:
95dc3d
+	* `1.2.3.4`
95dc3d
+	* `1.2.3.4 port 553`
95dc3d
+	* `A::B`
95dc3d
+	* `A::B port 553`
95dc3d
+
95dc3d
+* idnsForwardPolicy (default `first`)
95dc3d
+
95dc3d
+	Specifies BIND9 zone forward policy. Proprietary value `none`
95dc3d
+	is equivalent to `forwarders {};` in BIND configuration,
95dc3d
+	i.e. effectively disables forwarding and ignores `idnsForwarders`
95dc3d
+	attribute.
95dc3d
+
95dc3d
+	Values `first` and `only` are relevant in conjunction with a valid
95dc3d
+	`idnsForwarders` attribute. Their meaning is same as in BIND9.
95dc3d
+
95dc3d
+* idnsName
95dc3d
+
95dc3d
+	Absolute name of DNS zone. It is recommended to use names with trailing
95dc3d
+	period, e.g. `example.com.`
95dc3d
+
95dc3d
+Forward zones may conflict with automatic empty zones (defined in RFC 6303)
95dc3d
+because empty zones are authoritative and thus have higher priority
95dc3d
+than forwarding.
95dc3d
+Bind-dyndb-ldap will automatically unload empty zones which are super/sub
95dc3d
+domains of a forward zones if the forwarding policy is `only`.
95dc3d
+A warning will be issued (and zone not unloaded) if the policy is `first`
95dc3d
+because this policy does not guarantee that queries will not leak to
95dc3d
+the public Internet.
95dc3d
+
95dc3d
+Unloaded empty zones will not be loaded back even if the forward zone is later
95dc3d
+deleted. The empty zones will be loaded on each BIND reload.
95dc3d
+
95dc3d
+
95dc3d
+4.3 Global configuration object (idnsConfigObject)
95dc3d
+--------------------------------------------------
95dc3d
+Object class idnsConfigObject provides global configuration common
95dc3d
+for all zones.
95dc3d
+
95dc3d
+### Attributes
95dc3d
+* idnsAllowSyncPTR
95dc3d
+
95dc3d
+	Semantics is equivalent to `sync_ptr` option described in plugin's
95dc3d
+	config and to `idnsAllowSyncPTR` attribute in `idnsZone`.
95dc3d
+
95dc3d
+* idnsForwarders
95dc3d
+* idnsForwardPolicy
95dc3d
+
95dc3d
+	Semantics is equivalent to `forward` statement in `named.conf`.
95dc3d
+	Syntax is the same as in forward zone, please see previous section.
95dc3d
+
95dc3d
+
95dc3d
+4.4 Per-server configuration object (idnsServerConfigObject)
95dc3d
+------------------------------------------------------------
95dc3d
+Object class idnsConfigObject provides global configuration common
95dc3d
+for all zones. A plugin instance will read configuration
95dc3d
+only from entries with matching idnsServerId.
95dc3d
+
95dc3d
+### Attributes
95dc3d
+* idnsServerId
95dc3d
+
95dc3d
+	Configuration identifier (arbitrary string).
95dc3d
+	A plugin instance will use only objects whose `idnsServerId` value
95dc3d
+	matches `server_id` value in plugin's config.
95dc3d
+
95dc3d
+* idnsForwarders
95dc3d
+* idnsForwardPolicy
95dc3d
+
95dc3d
+	Same meaning as in global configuration object (`idnsConfigObject`).
95dc3d
+
95dc3d
+* idnsSOAmName
95dc3d
+
95dc3d
+	Equivalent to `fake_mname` option in plugin's config.
95dc3d
+
95dc3d
+* idnsSubstitutionVariable
95dc3d
+
95dc3d
+	This attribute associates string value with user-defined name.
95dc3d
+	These named variables can be used later in record template processing.
95dc3d
+	Variable name is specified as LDAP sub-type. (The attribute cannot be
95dc3d
+	used without sub-type. Exactly one instance of each sub-type
95dc3d
+	is required.)
95dc3d
+	For further information please see
95dc3d
+	https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator
95dc3d
+
95dc3d
+	LIMITATION: Current plugin version supports only `ipalocation` variable
95dc3d
+
95dc3d
+
95dc3d
+4.5 Record template (idnsTemplateObject)
95dc3d
+----------------------------------------
95dc3d
+Object class idnsTemplateObject provides facility for dynamic resource record
95dc3d
+generation. The template entry must contain idnsTemplateAttribute with
95dc3d
+string template.
95dc3d
+
95dc3d
+Optionally the same entry can contain statically defined resource records
95dc3d
+in *Record attributes. All statically defined record values are ignored
95dc3d
+when template is present and substitution into template is successful.
95dc3d
+The substitution is successful only if all variables used
95dc3d
+by the template string are defined.
95dc3d
+
95dc3d
+### Attributes
95dc3d
+* idnsTemplateAttribute
95dc3d
+	String subtitution template. All occurrences of \{variable_name\}
95dc3d
+	are replaced with respective strings from plugin configuration.
95dc3d
+	Remaining parts of the original string are just copied into the output.
95dc3d
+
95dc3d
+	Double-escaped strings \\{ \\} do not trigger substitution.
95dc3d
+	Nested references will expand only innermost variable: \{\{var1\}\}
95dc3d
+	Non-matching parentheses and other garbage will be copied verbatim
95dc3d
+	without triggering an error.
95dc3d
+
95dc3d
+	Resulting resource record type is specified as LDAP sub-type.
95dc3d
+	(The attribute cannot be used without sub-type.
95dc3d
+	Exactly one instance of each sub-type is required.)
95dc3d
+
95dc3d
+	Example - LDIF snippet:
95dc3d
+	
95dc3d
+		idnsSubstitutionVariable;ipalocation: brno
95dc3d
+		idnsTemplateAttribute;CNAMERecord: server.\{substitutionvariable_ipalocation\}
95dc3d
+	will generate CNAME record: `server.brno`
95dc3d
+		
95dc3d
+	For further information please see
95dc3d
+	https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator
95dc3d
+
95dc3d
+
95dc3d
+5. Configuration
95dc3d
+================
95dc3d
+
95dc3d
+To configure dynamic loading of back-end, you must put a `dyndb`
95dc3d
+clause into your named.conf. The clause must then be followed by a
95dc3d
+string denoting the name of the instance and path to dyndb library.
95dc3d
+
95dc3d
+The name is not that much important, it is passed to the plug-in
95dc3d
+and is used for logging purposes and for naming working directories.
95dc3d
+
95dc3d
+Library path must point to a shared object file that will be opened and loaded.
95dc3d
+
95dc3d
+Name and library path have to be followed by set of options enclosed between
95dc3d
+curly brackets. Example:
95dc3d
+
95dc3d
+	dyndb "example-ldap" "/usr/lib64/bind/ldap.so" {
95dc3d
+		uri "ldap://ldap.example.com";
95dc3d
+		base "cn=dns, dc=example,dc=com";
95dc3d
+		auth_method "none";
95dc3d
+	};
95dc3d
+
95dc3d
+5.1 Configuration options
95dc3d
+-------------------------
95dc3d
+List of configuration options follows:
95dc3d
+
95dc3d
+5.1.1 LDAP connection
95dc3d
+---------------------
95dc3d
+* uri
95dc3d
+
95dc3d
+	The Uniform Resource Identifier pointing to the LDAP server we
95dc3d
+	wish to connect to. This string is directly passed to the
95dc3d
+	ldap_initialize(3) function. This option is mandatory.
95dc3d
+	Example: "ldap://ldap.example.com"
95dc3d
+
95dc3d
+* connections (default 2)
95dc3d
+
95dc3d
+	Number of connections the LDAP driver should try to establish to
95dc3d
+	the LDAP server. It's best if this matches the number of threads
95dc3d
+	BIND creates, for performance reasons. However, your LDAP server
95dc3d
+	configuration might only allow certain number of connections per
95dc3d
+	client.
95dc3d
+
95dc3d
+* base
95dc3d
+	This is the search base that will be used by the LDAP back-end
95dc3d
+	to search for DNS zones. This option is mandatory.
95dc3d
+	Example: "cn=dns, dc=example,dc=com";
95dc3d
+
95dc3d
+* auth_method (default "none")
95dc3d
+
95dc3d
+	The method used to authenticate to the LDAP server. Currently
95dc3d
+	supported methods are "none", "simple" and "sasl". The none
95dc3d
+	method is effectively a simple authentication without password.
95dc3d
+
95dc3d
+* bind_dn (default "")
95dc3d
+
95dc3d
+	Distinguished Name used to bind to the LDAP server. If this is
95dc3d
+	empty and the auth_method is set to "simple", the LDAP back-end
95dc3d
+	will fall-back and use the "none" authentication method.
95dc3d
+
95dc3d
+* password (default "")
95dc3d
+
95dc3d
+	Password for simple and SASL authentication. If the authentication
95dc3d
+	method is set to "simple" and the password is empty, the LDAP
95dc3d
+	driver will fall-back to the "none" authentication method.
95dc3d
+
95dc3d
+* sasl_mech (default "GSSAPI")
95dc3d
+
95dc3d
+	Name of the SASL mechanism to be used for negotiation.
95dc3d
+
95dc3d
+* sasl_auth_name
95dc3d
+
95dc3d
+	The user name to be used for SASL authentication.
95dc3d
+
95dc3d
+* sasl_user
95dc3d
+
95dc3d
+	The user name to be used for SASL proxy authorization.
95dc3d
+
95dc3d
+* sasl_password
95dc3d
+
95dc3d
+	The password to use for the SASL authentication.
95dc3d
+
95dc3d
+* sasl_realm
95dc3d
+
95dc3d
+	The SASL realm name.
95dc3d
+
95dc3d
+* krb5_keytab
95dc3d
+
95dc3d
+	Path to the kerberos keytab containing service credentials to be used
95dc3d
+	for SASL authentication. Append the "FILE:" prefix to the file path.
95dc3d
+	Example: "FILE:/etc/named.keytab"
95dc3d
+
95dc3d
+* krb5_principal
95dc3d
+
95dc3d
+	Kerberos principal of the service, used for SASL authentication.
95dc3d
+	If not set then it is copied from "sasl_user" option. Principal
95dc3d
+	is loaded from file specified in "krb5_keytab" option.
95dc3d
+
95dc3d
+* timeout (default 10)
95dc3d
+
95dc3d
+	Timeout (in seconds) of the queries to the LDAP server. If the LDAP
95dc3d
+	server don't respond before this timeout then lookup is aborted and
95dc3d
+	BIND returns SERVFAIL. Value "0" means infinite timeout (no timeout).
95dc3d
+
95dc3d
+* reconnect_interval (default 60)
95dc3d
+
95dc3d
+	Time (in seconds) after that the plugin should try to connect to LDAP 
95dc3d
+	server again in case connection is lost and immediate reconnection 
95dc3d
+	fails.
95dc3d
+
95dc3d
+* ldap_hostname (default "")
95dc3d
+
95dc3d
+	Sets hostname of the LDAP server. When it is set to "", actual
95dc3d
+	`/bin/hostname` is used. Please prefer `uri` option, this option should be
95dc3d
+	used only in special cases, for example when GSSAPI authentication
95dc3d
+	is used and named service has Kerberos principal different from
95dc3d
+	`/bin/hostname` output.
95dc3d
+
95dc3d
+
95dc3d
+5.1.2 Special DNS features
95dc3d
+--------------------------
95dc3d
+* fake_mname
95dc3d
+
95dc3d
+	Ignore value of the idnsSOAmName (primary master DNS name) attribute
95dc3d
+	and use this value instead. This allows multiple BIND processes to share
95dc3d
+	one LDAP database and every BIND reports itself as a primary master in
95dc3d
+	SOA record, for example.
95dc3d
+
95dc3d
+* sync_ptr (default no)
95dc3d
+
95dc3d
+	Set this option to `yes` if you would like to keep PTR record 
95dc3d
+	synchronized with coresponding A/AAAA record for all zones.
95dc3d
+	If this option is set to `no`, the LDAP driver will check
95dc3d
+	the idnsAllowSyncPTR attribute which specifies the synchronization
95dc3d
+	policy for PTR records in a zone. When an A/AAAA record is deleted 
95dc3d
+	the PTR record must point to the same hostname. 
95dc3d
+	
95dc3d
+* dyn_update (default no)
95dc3d
+
95dc3d
+	Set this option to `yes` if you would like to allow dynamic zone updates.
95dc3d
+	This setting can be overridden for each zone individually
95dc3d
+	by idnsAllowDynUpdate attribute.
95dc3d
+
95dc3d
+
95dc3d
+5.1.3 Plumbing
95dc3d
+--------------
95dc3d
+* verbose_checks (default no)
95dc3d
+
95dc3d
+	Set this option to `yes` if you would like to log all failures
95dc3d
+	in internal CHECK() macros. This option is recommended only for
95dc3d
+	debugging purposes. It could produce huge amount of log messages
95dc3d
+	on a loaded system!
95dc3d
+
95dc3d
+* directory (default is
95dc3d
+             `dyndb-ldap/<current instance name from dynamic-db directive>`)
95dc3d
+        
95dc3d
+	Specifies working directory for plug-in. The path has to be writeable
95dc3d
+	by named because plug-in will create sub-directory for each zone.
95dc3d
+	These sub-directories will contain temporary files like zone dump, zone
95dc3d
+	journal, zone keys etc.
95dc3d
+	The path is relative to `directory` specified in BIND options.
95dc3d
+	See section 6 (DNSSEC) for examples.
95dc3d
+
95dc3d
+5.2 Sample configuration
95dc3d
+------------------------
95dc3d
+Let's take a look at a sample configuration:
95dc3d
+
95dc3d
+	options {
95dc3d
+		directory "/var/named/";
95dc3d
+	};
95dc3d
+	
95dc3d
+	dyndb "my_db_name" "/usr/lib64/bind/ldap.so" {
95dc3d
+		uri "ldap://ldap.example.com";
95dc3d
+		base "cn=dns, dc=example,dc=com";
95dc3d
+		auth_method "none";
95dc3d
+	};
95dc3d
+
95dc3d
+With this configuration, the LDAP back-end will try to connect to server
95dc3d
+ldap.example.com with simple authentication, without any password. It
95dc3d
+will then use RFC 4533 refresh&persist search in the `cn=dns,dc=example,dc=com`
95dc3d
+base for entries with object class `idnsZone` and `idnsRecord`.
95dc3d
+For each idnsZone entry it will find, it will register a new zone with BIND.
95dc3d
+For each idnsRecord entry it will create domain name in particular zone.
95dc3d
+The LDAP back-end will keep each record it gets from LDAP in its memory.
95dc3d
+
95dc3d
+Working directory for the plug-in will be `/var/named/dyndb-ldap/my_db_name/`,
95dc3d
+so hypothetical zone `example.com` will use sub-directory
95dc3d
+`/var/named/dyndb-ldap/my_db_name/master/example.com/`.
95dc3d
+
95dc3d
+5.3 Configuration in LDAP
95dc3d
+-------------------------
95dc3d
+Some options can be configured in LDAP as `idnsConfigObject` attributes.
95dc3d
+Value configured in LDAP has priority over value in configuration file.
95dc3d
+(This behavior will change in future versions!)
95dc3d
+
95dc3d
+Following options are supported (option = attribute equivalent):
95dc3d
+option     | LDAP attribute
95dc3d
+-----------| --------------
95dc3d
+forwarders | idnsForwarders (BIND native option)
95dc3d
+forward    | idnsForwardPolicy (BIND native option)
95dc3d
+sync_ptr   | idnsAllowSyncPTR
95dc3d
+
95dc3d
+Forward policy option cannot be set without setting forwarders at the same time.
95dc3d
+
95dc3d
+
95dc3d
+6. DNSSEC support
95dc3d
+=================
95dc3d
+
95dc3d
+In-line signing support in this plugin allows to use this BIND feature
95dc3d
+for zones in LDAP.
95dc3d
+
95dc3d
+Signatures are automatically generated by plugin during zone loading
95dc3d
+and signatures are never written back to LDAP. DNSKEY, RRSIG, NSEC and NSEC3
95dc3d
+records in LDAP are ignored because they are automatically managed by BIND.
95dc3d
+
95dc3d
+NSEC3 can be enabled by writting NSEC3PARAM RR to particular zone object
95dc3d
+in LDAP.
95dc3d
+
95dc3d
+Dynamic updates made to in-line signed zones are written back to LDAP as usual
95dc3d
+and respective signatures are automatically re-generated as necessary.
95dc3d
+
95dc3d
+Key management has to be handled by user, i.e. user has to
95dc3d
+generate/delete keys and configure key timestamps as appropriate.
95dc3d
+
95dc3d
+Key directory for particular DNS zone is automatically configured to value:
95dc3d
+	<plugin-instance-dir>/master/<zone-name>/keys
95dc3d
+
95dc3d
+`<plugin-instance-dir>` is described in section 5.1.3 of this file.
95dc3d
+`<zone-name>` is (transformed) textual representation of zone name without
95dc3d
+trailing period.
95dc3d
+
95dc3d
+Zone name will be automatically transformed before usage:
95dc3d
+- root zone is translated to `@` to prevent collision with filesystem `.`
95dc3d
+- digits, hyphen and underscore are left intact
95dc3d
+- letters of English alphabet are downcased
95dc3d
+- all other characters are escaped using %ASCII_HEX form, e.g. `/` => `%2F`
95dc3d
+- final dot is omited
95dc3d
+- labels are separated with `.`
95dc3d
+
95dc3d
+Example:
95dc3d
+* BIND directory: `/var/named`
95dc3d
+* bind-dyndb-ldap directory: `dyndb-ldap`
95dc3d
+* LDAP instance name: `ipa`
95dc3d
+* DNS zone: `example.com.`
95dc3d
+* Resulting keys directory: `/var/named/dyndb-ldap/ipa/master/example.com/keys`
95dc3d
+
95dc3d
+* DNS zone: `TEST.0/1.a.`
95dc3d
+* Resulting keys directory: `/var/named/dyndb-ldap/ipa/master/test.0%2F1.a/keys`
95dc3d
+
95dc3d
+Make sure that keys directory and files is readable by user used for BIND.
95dc3d
+
95dc3d
+
95dc3d
+7. License
95dc3d
+==========
95dc3d
+
95dc3d
+This package is licensed under the GNU General Public License, version 2
95dc3d
+only. See file COPYING for more information.
95dc3d
diff --git a/configure.ac b/configure.ac
95dc3d
index 9b26058..50e41f3 100644
95dc3d
--- a/configure.ac
95dc3d
+++ b/configure.ac
95dc3d
@@ -1,9 +1,9 @@
95dc3d
 AC_PREREQ([2.59])
95dc3d
-AC_INIT([bind-dyndb-ldap], [10.1], [freeipa-devel@redhat.com])
95dc3d
+AC_INIT([bind-dyndb-ldap], [11.0], [freeipa-devel@redhat.com])
95dc3d
 
95dc3d
 AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
95dc3d
 
95dc3d
-AC_CONFIG_SRCDIR([src/zone_manager.h])
95dc3d
+AC_CONFIG_SRCDIR([src/ldap_driver.c])
95dc3d
 AC_CONFIG_HEADERS([config.h])
95dc3d
 AC_CONFIG_MACRO_DIR([m4])
95dc3d
 
95dc3d
@@ -105,18 +105,18 @@ int main(void) {
95dc3d
 [AC_MSG_ERROR([Cross compiling is not supported.])]
95dc3d
 )
95dc3d
 
95dc3d
-dnl isc__errno2result() is typically not present in standard header files
95dc3d
-AC_MSG_CHECKING([isc__errno2result availability in header files])
95dc3d
+dnl isc_errno_toresult() was not available in older header files
95dc3d
+AC_MSG_CHECKING([isc_errno_toresult availability])
95dc3d
 AC_TRY_RUN([
95dc3d
-#include <isc/errno2result.h>
95dc3d
+#include <isc/errno.h>
95dc3d
 int main(void) {
95dc3d
-	isc__errno2result(0);
95dc3d
+	isc_errno_toresult(0);
95dc3d
 	return 0;
95dc3d
 }],
95dc3d
 [AC_MSG_RESULT([yes])],
95dc3d
 [AC_MSG_ERROR([
95dc3d
- Can't find isc__errno2result() or header isc/errno2result.h:
95dc3d
- Please install bind-lite-devel package or similar.])],
95dc3d
+ Can't find isc_errno_toresult() or header isc/errno.h:
95dc3d
+ Please install bind-devel package or similar.])],
95dc3d
 [AC_MSG_ERROR([Cross compiling is not supported.])]
95dc3d
 )
95dc3d
 
95dc3d
diff --git a/doc/schema.ldif b/doc/schema.ldif
95dc3d
index 8fdc99f..77c5b0e 100644
95dc3d
--- a/doc/schema.ldif
95dc3d
+++ b/doc/schema.ldif
95dc3d
@@ -362,9 +362,16 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.31
95dc3d
  NAME 'idnsServerId'
95dc3d
  DESC 'DNS server identifier'
95dc3d
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
95dc3d
- EQUALITY caseIgnoreMatch
95dc3d
+ EQUALITY caseIgnoreMatch 
95dc3d
  SINGLE-VALUE )
95dc3d
 #
95dc3d
+attributeTypes: ( 2.16.840.1.113730.3.8.5.29 
95dc3d
+ NAME 'idnsTemplateAttribute' 
95dc3d
+ DESC 'Template attribute for dynamic attribute generation' 
95dc3d
+ EQUALITY caseIgnoreIA5Match 
95dc3d
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
95dc3d
+ X-ORIGIN 'IPA v4.4' )
95dc3d
+#
95dc3d
 attributeTypes: ( 2.16.840.1.113730.3.8.5.30 
95dc3d
  NAME 'idnsSubstitutionVariable' 
95dc3d
  DESC 'User defined variable for DNS plugin' 
95dc3d
@@ -426,6 +433,6 @@ objectClasses: ( 2.16.840.1.113730.3.8.6.6
95dc3d
 objectClasses: ( 2.16.840.1.113730.3.8.6.5 
95dc3d
  NAME 'idnsTemplateObject' 
95dc3d
  DESC 'Template object for dynamic DNS attribute generation' 
95dc3d
- SUP top
95dc3d
+ SUP top 
95dc3d
  AUXILIARY 
95dc3d
  MUST ( idnsTemplateAttribute ) )
95dc3d
diff --git a/src/Makefile.am b/src/Makefile.am
95dc3d
index 238d8ef..e1e3968 100644
95dc3d
--- a/src/Makefile.am
95dc3d
+++ b/src/Makefile.am
95dc3d
@@ -4,7 +4,6 @@ bindplugindir=$(libdir)/bind
95dc3d
 HDRS =				\
95dc3d
 	acl.h			\
95dc3d
 	bindcfg.h		\
95dc3d
-	compat.h		\
95dc3d
 	empty_zones.h		\
95dc3d
 	fs.h			\
95dc3d
 	fwd.h			\
95dc3d
@@ -27,7 +26,6 @@ HDRS =				\
95dc3d
 	types.h			\
95dc3d
 	util.h			\
95dc3d
 	zone.h			\
95dc3d
-	zone_manager.h		\
95dc3d
 	zone_register.h
95dc3d
 
95dc3d
 ldap_la_SOURCES =		\
95dc3d
@@ -54,7 +52,6 @@ ldap_la_SOURCES =		\
95dc3d
 	syncrepl.c		\
95dc3d
 	str.c			\
95dc3d
 	zone.c			\
95dc3d
-	zone_manager.c		\
95dc3d
 	zone_register.c
95dc3d
 
95dc3d
 ldap_la_CFLAGS = -Wall -Wextra @WERROR@ -std=gnu99 -O2
95dc3d
diff --git a/src/compat.h b/src/compat.h
95dc3d
deleted file mode 100644
95dc3d
index 00e3da5..0000000
95dc3d
--- a/src/compat.h
95dc3d
+++ /dev/null
95dc3d
@@ -1,44 +0,0 @@
95dc3d
-/*
95dc3d
- * Copyright (C) 2009  bind-dyndb-ldap authors; see COPYING for license
95dc3d
- */
95dc3d
-
95dc3d
-#ifdef HAVE_CONFIG_H
95dc3d
-#include <config.h>
95dc3d
-#else
95dc3d
-#error "Can't compile without config.h"
95dc3d
-#endif
95dc3d
-
95dc3d
-/*
95dc3d
- * dns_rdatalist_fromrdataset() did not exist in older versions of libdns.
95dc3d
- * Add a substitude function here.
95dc3d
- */
95dc3d
-#if LIBDNS_VERSION_MAJOR < 40
95dc3d
-static inline isc_result_t
95dc3d
-dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
95dc3d
-			   dns_rdatalist_t **rdatalist)
95dc3d
-{
95dc3d
-	REQUIRE(rdatalist != NULL && rdataset != NULL);
95dc3d
-
95dc3d
-	*rdatalist = rdataset->private1;
95dc3d
-
95dc3d
-	return ISC_R_SUCCESS;
95dc3d
-}
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR < 40 */
95dc3d
-
95dc3d
-/*
95dc3d
- * In older libdns versions, isc_refcount_init() was defined as a macro.
95dc3d
- * However, in newer versions, it is a function returning isc_result_t type.
95dc3d
- * This piece of code should take care of that problem.
95dc3d
- */
95dc3d
-#if LIBDNS_VERSION_MAJOR < 30
95dc3d
-#include <isc/refcount.h>
95dc3d
-
95dc3d
-static inline isc_result_t
95dc3d
-isc_refcount_init_func(isc_refcount_t *ref, unsigned int n)
95dc3d
-{
95dc3d
-	isc_refcount_init(ref, n);
95dc3d
-	return ISC_R_SUCCESS;
95dc3d
-}
95dc3d
-#undef isc_refcount_init
95dc3d
-#define isc_refcount_init isc_refcount_init_func
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR < 30 */
95dc3d
diff --git a/src/fs.c b/src/fs.c
95dc3d
index 09b71d7..61c46b5 100644
95dc3d
--- a/src/fs.c
95dc3d
+++ b/src/fs.c
95dc3d
@@ -10,7 +10,7 @@
95dc3d
 
95dc3d
 #include <isc/dir.h>
95dc3d
 #include <isc/file.h>
95dc3d
-#include <isc/errno2result.h>
95dc3d
+#include <isc/errno.h>
95dc3d
 #include <isc/result.h>
95dc3d
 #include <isc/string.h>
95dc3d
 #include <isc/util.h>
95dc3d
@@ -37,7 +37,7 @@ fs_dir_create(const char *dir_name)
95dc3d
 	if (ret == 0)
95dc3d
 		result = ISC_R_SUCCESS;
95dc3d
 	else
95dc3d
-		result = isc__errno2result(errno);
95dc3d
+		result = isc_errno_toresult(errno);
95dc3d
 
95dc3d
 	if (result != ISC_R_SUCCESS && result != ISC_R_FILEEXISTS) {
95dc3d
 		log_error_r("unable to create directory '%s', working directory "
95dc3d
@@ -50,7 +50,7 @@ fs_dir_create(const char *dir_name)
95dc3d
 		 * solely for this purpose. */
95dc3d
 		ret = chmod(dir_name, dir_mode);
95dc3d
 		if (ret != 0) {
95dc3d
-			result = isc__errno2result(errno);
95dc3d
+			result = isc_errno_toresult(errno);
95dc3d
 			log_error_r("unable to chmod directory '%s', "
95dc3d
 				    "working directory is '%s'",
95dc3d
 				    dir_name, dir_curr);
95dc3d
diff --git a/src/fwd.c b/src/fwd.c
95dc3d
index 1f6a9e5..840f0e8 100644
95dc3d
--- a/src/fwd.c
95dc3d
+++ b/src/fwd.c
95dc3d
@@ -69,11 +69,7 @@ fwd_list_len(dns_forwarders_t *fwdrs) {
95dc3d
 
95dc3d
 	REQUIRE(fwdrs != NULL);
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	for (isc_sockaddr_t *fwdr = ISC_LIST_HEAD(fwdrs->addrs);
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	for (dns_forwarder_t *fwdr = ISC_LIST_HEAD(fwdrs->fwdrs);
95dc3d
-#endif
95dc3d
 	     fwdr != NULL;
95dc3d
 	     fwdr = ISC_LIST_NEXT(fwdr, link)) {
95dc3d
 		len++;
95dc3d
@@ -169,11 +165,7 @@ fwd_print_list_buff(isc_mem_t *mctx, dns_forwarders_t *fwdrs,
95dc3d
 	const cfg_obj_t *faddresses;
95dc3d
 	const cfg_listelt_t *fwdr_cfg; /* config representation */
95dc3d
 	/* internal representation */
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddr_t *fwdr_int;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	dns_forwarder_t *fwdr_int;
95dc3d
-#endif
95dc3d
 
95dc3d
 	isc_buffer_initnull(&tmp_buf);
95dc3d
 	tmp_buf.mctx = mctx;
95dc3d
@@ -197,20 +189,12 @@ fwd_print_list_buff(isc_mem_t *mctx, dns_forwarders_t *fwdrs,
95dc3d
 	 * data from the internal one to cfg data structures.*/
95dc3d
 	faddresses = cfg_tuple_get(forwarders_cfg, "addresses");
95dc3d
 	for (fwdr_int = ISC_LIST_HEAD(
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-			fwdrs->addrs
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 			fwdrs->fwdrs
95dc3d
-#endif
95dc3d
 			), fwdr_cfg = cfg_list_first(faddresses);
95dc3d
 	     INSIST((fwdr_int == NULL) == (fwdr_cfg == NULL)), fwdr_int != NULL;
95dc3d
 	     fwdr_int = ISC_LIST_NEXT(fwdr_int, link), fwdr_cfg = cfg_list_next(fwdr_cfg)) {
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-		fwdr_cfg->obj->value.sockaddr = *fwdr_int;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 		fwdr_cfg->obj->value.sockaddrdscp.sockaddr = fwdr_int->addr;
95dc3d
 		fwdr_cfg->obj->value.sockaddrdscp.dscp = fwdr_int->dscp;
95dc3d
-#endif
95dc3d
 	}
95dc3d
 	cfg_print(faddresses, buffer_append_str, &tmp_buf);
95dc3d
 
95dc3d
@@ -259,12 +243,7 @@ cleanup:
95dc3d
 
95dc3d
 static isc_result_t
95dc3d
 fwd_parse_str(const char *fwdrs_str, isc_mem_t *mctx,
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddrlist_t *fwdrs
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
-	dns_forwarderlist_t *fwdrs
95dc3d
-#endif
95dc3d
-	)
95dc3d
+	      dns_forwarderlist_t *fwdrs)
95dc3d
 {
95dc3d
 	isc_result_t result = ISC_R_SUCCESS;
95dc3d
 	cfg_parser_t *parser = NULL;
95dc3d
@@ -274,11 +253,7 @@ fwd_parse_str(const char *fwdrs_str, isc_mem_t *mctx,
95dc3d
 	const cfg_listelt_t *listel;
95dc3d
 	const cfg_obj_t *fwdr_cfg;
95dc3d
 	isc_sockaddr_t addr;
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddr_t *fwdr;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	dns_forwarder_t *fwdr;
95dc3d
-#endif
95dc3d
 
95dc3d
 	in_port_t port = 53;
95dc3d
 
95dc3d
@@ -301,12 +276,8 @@ fwd_parse_str(const char *fwdrs_str, isc_mem_t *mctx,
95dc3d
 		if (isc_sockaddr_getport(&addr) == 0)
95dc3d
 			isc_sockaddr_setport(&addr, port);
95dc3d
 		CHECKED_MEM_GET_PTR(mctx, fwdr);
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-		*fwdr = addr;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 		fwdr->addr = addr;
95dc3d
 		fwdr->dscp = cfg_obj_getdscp(fwdr_cfg);
95dc3d
-#endif
95dc3d
 		ISC_LINK_INIT(fwdr, link);
95dc3d
 		ISC_LIST_APPEND(*fwdrs, fwdr, link);
95dc3d
 	}
95dc3d
@@ -320,18 +291,8 @@ cleanup:
95dc3d
 }
95dc3d
 
95dc3d
 static void
95dc3d
-fwdr_list_free(isc_mem_t *mctx,
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddrlist_t *fwdrs
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
-	dns_forwarderlist_t *fwdrs
95dc3d
-#endif
95dc3d
-	) {
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddr_t *fwdr;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
+fwdr_list_free(isc_mem_t *mctx, dns_forwarderlist_t *fwdrs) {
95dc3d
 	dns_forwarder_t *fwdr;
95dc3d
-#endif
95dc3d
 	while (!ISC_LIST_EMPTY(*fwdrs)) {
95dc3d
 		fwdr = ISC_LIST_HEAD(*fwdrs);
95dc3d
 		ISC_LIST_UNLINK(*fwdrs, fwdr, link);
95dc3d
@@ -357,11 +318,7 @@ fwd_setting_isexplicit(isc_mem_t *mctx, const settings_set_t *set,
95dc3d
 	isc_result_t result;
95dc3d
 	setting_t *setting = NULL;
95dc3d
 	dns_fwdpolicy_t	fwdpolicy;
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddrlist_t fwdrs;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	dns_forwarderlist_t fwdrs;
95dc3d
-#endif
95dc3d
 
95dc3d
 	REQUIRE(isexplicit != NULL);
95dc3d
 	ISC_LIST_INIT(fwdrs);
95dc3d
@@ -440,11 +397,7 @@ fwd_parse_ldap(ldap_entry_t *entry, settings_set_t *set) {
95dc3d
 	ldap_valuelist_t values;
95dc3d
 	ldap_value_t *value;
95dc3d
 	isc_buffer_t *tmp_buf = NULL; /* hack: only the base buffer is allocated */
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddrlist_t fwdrs;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	dns_forwarderlist_t fwdrs;
95dc3d
-#endif
95dc3d
 	const char *setting_str = NULL;
95dc3d
 
95dc3d
 	/**
95dc3d
@@ -547,11 +500,7 @@ fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
95dc3d
 	isc_mem_t *mctx = NULL;
95dc3d
 	dns_view_t *view = NULL;
95dc3d
 	isc_result_t lock_state = ISC_R_IGNORE;
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-	isc_sockaddrlist_t fwdrs;
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	dns_forwarderlist_t fwdrs;
95dc3d
-#endif
95dc3d
 	isc_boolean_t is_global_config;
95dc3d
 	dns_fixedname_t foundname;
95dc3d
 	const char *msg_use_global_fwds;
95dc3d
@@ -630,13 +579,8 @@ fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
95dc3d
 	run_exclusive_enter(inst, &lock_state);
95dc3d
 	CHECK(fwd_delete_table(view, name, msg_obj_type, set->name));
95dc3d
 	if (isconfigured == ISC_TRUE) {
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-		CHECK(dns_fwdtable_add(view->fwdtable, name, &fwdrs,
95dc3d
-				       fwdpolicy));
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 		CHECK(dns_fwdtable_addfwd(view->fwdtable, name, &fwdrs,
95dc3d
 					  fwdpolicy));
95dc3d
-#endif
95dc3d
 	}
95dc3d
 	dns_view_flushcache(view);
95dc3d
 	run_exclusive_exit(inst, lock_state);
95dc3d
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
95dc3d
index 83ec00a..b1b7336 100644
95dc3d
--- a/src/ldap_driver.c
95dc3d
+++ b/src/ldap_driver.c
95dc3d
@@ -9,13 +9,17 @@
95dc3d
 #endif
95dc3d
 
95dc3d
 #include <isc/buffer.h>
95dc3d
+#include <isc/commandline.h>
95dc3d
+#include <isc/hash.h>
95dc3d
+#include <isc/lib.h>
95dc3d
 #include <isc/mem.h>
95dc3d
+#include <isc/once.h>
95dc3d
 #include <isc/refcount.h>
95dc3d
 #include <isc/util.h>
95dc3d
 
95dc3d
 #include <dns/db.h>
95dc3d
 #include <dns/diff.h>
95dc3d
-#include <dns/dynamic_db.h>
95dc3d
+#include <dns/dyndb.h>
95dc3d
 #include <dns/dbiterator.h>
95dc3d
 #include <dns/rdata.h>
95dc3d
 #include <dns/rdataclass.h>
95dc3d
@@ -29,13 +33,12 @@
95dc3d
 
95dc3d
 #include <string.h> /* For memcpy */
95dc3d
 
95dc3d
-#include "compat.h"
95dc3d
+#include "bindcfg.h"
95dc3d
 #include "ldap_driver.h"
95dc3d
 #include "ldap_helper.h"
95dc3d
 #include "ldap_convert.h"
95dc3d
 #include "log.h"
95dc3d
 #include "util.h"
95dc3d
-#include "zone_manager.h"
95dc3d
 #include "zone_register.h"
95dc3d
 
95dc3d
 #ifdef HAVE_VISIBILITY
95dc3d
@@ -181,18 +184,9 @@ detach(dns_db_t **dbp)
95dc3d
 
95dc3d
 /* !!! This could be required for optimizations (like on-disk cache). */
95dc3d
 static isc_result_t
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp)
95dc3d
-{
95dc3d
-
95dc3d
-	UNUSED(db);
95dc3d
-	UNUSED(addp);
95dc3d
-	UNUSED(dbloadp);
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
95dc3d
 	UNUSED(db);
95dc3d
 	UNUSED(callbacks);
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 
95dc3d
 	fatal_error("ldapdb: method beginload() should never be called");
95dc3d
 
95dc3d
@@ -207,17 +201,9 @@ beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
95dc3d
 
95dc3d
 /* !!! This could be required for optimizations (like on-disk cache). */
95dc3d
 static isc_result_t
95dc3d
-#if LIBDNS_VERSION_MAJOR < 140
95dc3d
-endload(dns_db_t *db, dns_dbload_t **dbloadp)
95dc3d
-{
95dc3d
-
95dc3d
-	UNUSED(db);
95dc3d
-	UNUSED(dbloadp);
95dc3d
-#else /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
95dc3d
 	UNUSED(db);
95dc3d
 	UNUSED(callbacks);
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 
95dc3d
 	fatal_error("ldapdb: method endload() should never be called");
95dc3d
 
95dc3d
@@ -225,7 +211,6 @@ endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
95dc3d
 	return ISC_R_SUCCESS;
95dc3d
 }
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 140
95dc3d
 static isc_result_t
95dc3d
 serialize(dns_db_t *db, dns_dbversion_t *version, FILE *file)
95dc3d
 {
95dc3d
@@ -235,23 +220,17 @@ serialize(dns_db_t *db, dns_dbversion_t *version, FILE *file)
95dc3d
 
95dc3d
 	return dns_db_serialize(ldapdb->rbtdb, version, file);
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 
95dc3d
 /* !!! This could be required for optimizations (like on-disk cache). */
95dc3d
 static isc_result_t
95dc3d
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 31
95dc3d
-     , dns_masterformat_t masterformat
95dc3d
-#endif
95dc3d
-     )
95dc3d
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
95dc3d
+     dns_masterformat_t masterformat)
95dc3d
 {
95dc3d
 
95dc3d
 	UNUSED(db);
95dc3d
 	UNUSED(version);
95dc3d
 	UNUSED(filename);
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 31
95dc3d
 	UNUSED(masterformat);
95dc3d
-#endif
95dc3d
 
95dc3d
 	fatal_error("ldapdb: method dump() should never be called");
95dc3d
 
95dc3d
@@ -422,22 +401,14 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out)
95dc3d
 }
95dc3d
 
95dc3d
 static isc_result_t
95dc3d
-createiterator(dns_db_t *db,
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 50
95dc3d
-	       unsigned int options,
95dc3d
-#else
95dc3d
-	       isc_boolean_t relative_names,
95dc3d
-#endif
95dc3d
+createiterator(dns_db_t *db,  unsigned int options,
95dc3d
 	       dns_dbiterator_t **iteratorp)
95dc3d
 {
95dc3d
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
95dc3d
 
95dc3d
 	REQUIRE(VALID_LDAPDB(ldapdb));
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 50
95dc3d
+
95dc3d
 	return dns_db_createiterator(ldapdb->rbtdb, options, iteratorp);
95dc3d
-#else
95dc3d
-	return dns_db_createiterator(ldapdb->rbtdb, relative_names, iteratorp);
95dc3d
-#endif
95dc3d
 }
95dc3d
 
95dc3d
 static isc_result_t
95dc3d
@@ -675,7 +646,6 @@ settask(dns_db_t *db, isc_task_t *task)
95dc3d
 	dns_db_settask(ldapdb->rbtdb, task);
95dc3d
 }
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 31
95dc3d
 static isc_result_t
95dc3d
 getoriginnode(dns_db_t *db, dns_dbnode_t **nodep)
95dc3d
 {
95dc3d
@@ -685,9 +655,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep)
95dc3d
 
95dc3d
 	return dns_db_getoriginnode(ldapdb->rbtdb, nodep);
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 31 */
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 45
95dc3d
 static void
95dc3d
 transfernode(dns_db_t *db, dns_dbnode_t **sourcep, dns_dbnode_t **targetp)
95dc3d
 {
95dc3d
@@ -698,9 +666,7 @@ transfernode(dns_db_t *db, dns_dbnode_t **sourcep, dns_dbnode_t **targetp)
95dc3d
 	dns_db_transfernode(ldapdb->rbtdb, sourcep, targetp);
95dc3d
 
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 45 */
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 50
95dc3d
 static isc_result_t
95dc3d
 getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
95dc3d
 			  dns_hash_t *hash, isc_uint8_t *flags,
95dc3d
@@ -767,9 +733,7 @@ isdnssec(dns_db_t *db)
95dc3d
 
95dc3d
 	return dns_db_isdnssec(ldapdb->rbtdb);
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 50 */
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 45
95dc3d
 static dns_stats_t *
95dc3d
 getrrsetstats(dns_db_t *db) {
95dc3d
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
95dc3d
@@ -779,35 +743,7 @@ getrrsetstats(dns_db_t *db) {
95dc3d
 	return dns_db_getrrsetstats(ldapdb->rbtdb);
95dc3d
 
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 45 */
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 82 && LIBDNS_VERSION_MAJOR < 140
95dc3d
-static isc_result_t
95dc3d
-rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
95dc3d
-{
95dc3d
-	ldapdb_t *ldapdb = (ldapdb_t *) db;
95dc3d
-
95dc3d
-	REQUIRE(VALID_LDAPDB(ldapdb));
95dc3d
-
95dc3d
-	return dns_db_rpz_enabled(ldapdb->rbtdb, st);
95dc3d
-}
95dc3d
-
95dc3d
-static void
95dc3d
-rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
95dc3d
-		   dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
95dc3d
-		   dns_rdataset_t *ardataset, dns_rpz_st_t *st,
95dc3d
-		   dns_name_t *query_qname)
95dc3d
-{
95dc3d
-	ldapdb_t *ldapdb = (ldapdb_t *) db;
95dc3d
-
95dc3d
-	REQUIRE(VALID_LDAPDB(ldapdb));
95dc3d
-
95dc3d
-	dns_db_rpz_findips(rpz, rpz_type, zone, ldapdb->rbtdb, version,
95dc3d
-			   ardataset, st, query_qname);
95dc3d
-}
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 82 && LIBDNS_VERSION_MAJOR < 140 */
95dc3d
-
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 140
95dc3d
 void
95dc3d
 rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
95dc3d
 {
95dc3d
@@ -827,9 +763,7 @@ rpz_ready(dns_db_t *db)
95dc3d
 
95dc3d
 	return dns_db_rpz_ready(ldapdb->rbtdb);
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 90
95dc3d
 static isc_result_t
95dc3d
 findnodeext(dns_db_t *db, dns_name_t *name,
95dc3d
 		   isc_boolean_t create, dns_clientinfomethods_t *methods,
95dc3d
@@ -858,9 +792,7 @@ findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
95dc3d
 			      nodep, foundname, methods, clientinfo, rdataset,
95dc3d
 			      sigrdataset);
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 90 */
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 140
95dc3d
 isc_result_t
95dc3d
 setcachestats(dns_db_t *db, isc_stats_t *stats)
95dc3d
 {
95dc3d
@@ -871,11 +803,7 @@ setcachestats(dns_db_t *db, isc_stats_t *stats)
95dc3d
 	return dns_db_setcachestats(ldapdb->rbtdb, stats);
95dc3d
 }
95dc3d
 
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 164
95dc3d
 size_t
95dc3d
-#else
95dc3d
-unsigned int
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 164 */
95dc3d
 hashsize(dns_db_t *db)
95dc3d
 {
95dc3d
 	ldapdb_t *ldapdb = (ldapdb_t *) db;
95dc3d
@@ -884,16 +812,23 @@ hashsize(dns_db_t *db)
95dc3d
 
95dc3d
 	return dns_db_hashsize(ldapdb->rbtdb);
95dc3d
 }
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
+
95dc3d
+isc_result_t
95dc3d
+nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name)
95dc3d
+{
95dc3d
+	ldapdb_t *ldapdb = (ldapdb_t *) db;
95dc3d
+
95dc3d
+	REQUIRE(VALID_LDAPDB(ldapdb));
95dc3d
+
95dc3d
+	return dns_db_nodefullname(ldapdb->rbtdb, node, name);
95dc3d
+}
95dc3d
 
95dc3d
 static dns_dbmethods_t ldapdb_methods = {
95dc3d
 	attach,
95dc3d
 	detach,
95dc3d
 	beginload,
95dc3d
 	endload,
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 140
95dc3d
 	serialize, /* see dns_db_serialize(), implementation is not mandatory */
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
 	dump,
95dc3d
 	currentversion,
95dc3d
 	newversion,
95dc3d
@@ -917,37 +852,22 @@ static dns_dbmethods_t ldapdb_methods = {
95dc3d
 	ispersistent,
95dc3d
 	overmem,
95dc3d
 	settask,
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 31
95dc3d
 	getoriginnode,
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 31 */
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 45
95dc3d
 	transfernode,
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 50
95dc3d
 	getnsec3parameters,
95dc3d
 	findnsec3node,
95dc3d
 	setsigningtime,
95dc3d
 	getsigningtime,
95dc3d
 	resigned,
95dc3d
 	isdnssec,
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 50 */
95dc3d
 	getrrsetstats,
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 45 */
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 82 && LIBDNS_VERSION_MAJOR < 140
95dc3d
-	rpz_enabled,
95dc3d
-	rpz_findips,
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 82 && LIBDNS_VERSION_MAJOR < 140 */
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 140
95dc3d
 	rpz_attach,
95dc3d
 	rpz_ready,
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 90
95dc3d
 	findnodeext,
95dc3d
 	findext,
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 90 */
95dc3d
-#if LIBDNS_VERSION_MAJOR >= 140
95dc3d
 	setcachestats,
95dc3d
-	hashsize
95dc3d
-#endif /* LIBDNS_VERSION_MAJOR >= 140 */
95dc3d
+	hashsize,
95dc3d
+	nodefullname
95dc3d
 };
95dc3d
 
95dc3d
 isc_result_t ATTR_NONNULLS
95dc3d
@@ -1002,18 +922,17 @@ ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
95dc3d
 		 void *driverarg, dns_db_t **dbp) {
95dc3d
 
95dc3d
 	isc_result_t result;
95dc3d
-	ldap_instance_t *ldap_inst = NULL;
95dc3d
+	ldap_instance_t *ldap_inst = driverarg;
95dc3d
 	zone_register_t *zr = NULL;
95dc3d
 
95dc3d
-	UNUSED(driverarg); /* Currently we don't need any data */
95dc3d
-
95dc3d
 	REQUIRE(ISCAPI_MCTX_VALID(mctx));
95dc3d
-	REQUIRE(argc == LDAP_DB_ARGC);
95dc3d
 	REQUIRE(type == LDAP_DB_TYPE);
95dc3d
 	REQUIRE(rdclass == LDAP_DB_RDATACLASS);
95dc3d
+	REQUIRE(argc == 0);
95dc3d
+	UNUSED(argv);
95dc3d
+	REQUIRE(driverarg != NULL);
95dc3d
 	REQUIRE(dbp != NULL && *dbp == NULL);
95dc3d
 
95dc3d
-	CHECK(manager_get_ldap_instance(argv[0], &ldap_inst));
95dc3d
 	zr = ldap_instance_getzr(ldap_inst);
95dc3d
 	if (zr == NULL)
95dc3d
 		CLEANUP_WITH(ISC_R_NOTFOUND);
95dc3d
@@ -1026,19 +945,16 @@ cleanup:
95dc3d
 
95dc3d
 isc_result_t
95dc3d
 ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
95dc3d
-	      dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
95dc3d
-	      void *driverarg, dns_db_t **dbp)
95dc3d
+	      dns_rdataclass_t rdclass, void *driverarg, dns_db_t **dbp)
95dc3d
 {
95dc3d
 	ldapdb_t *ldapdb = NULL;
95dc3d
 	isc_result_t result;
95dc3d
 	isc_boolean_t lock_ready = ISC_FALSE;
95dc3d
 
95dc3d
-	UNUSED(driverarg); /* Currently we don't need any data */
95dc3d
-
95dc3d
 	/* Database instance name. */
95dc3d
-	REQUIRE(argc == LDAP_DB_ARGC);
95dc3d
 	REQUIRE(type == LDAP_DB_TYPE);
95dc3d
 	REQUIRE(rdclass == LDAP_DB_RDATACLASS);
95dc3d
+	REQUIRE(driverarg != NULL);
95dc3d
 	REQUIRE(dbp != NULL && *dbp == NULL);
95dc3d
 
95dc3d
 	CHECKED_MEM_GET_PTR(mctx, ldapdb);
95dc3d
@@ -1060,7 +976,7 @@ ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
95dc3d
 	CHECK(dns_name_dupwithoffsets(name, mctx, &ldapdb->common.origin));
95dc3d
 
95dc3d
 	CHECK(isc_refcount_init(&ldapdb->refs, 1));
95dc3d
-	CHECK(manager_get_ldap_instance(argv[0], &ldapdb->ldap_inst));
95dc3d
+	ldapdb->ldap_inst = driverarg;
95dc3d
 
95dc3d
 	CHECK(dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
95dc3d
 			    dns_rdataclass_in, 0, NULL, &ldapdb->rbtdb));
95dc3d
@@ -1084,50 +1000,91 @@ cleanup:
95dc3d
 	return result;
95dc3d
 }
95dc3d
 
95dc3d
-static dns_dbimplementation_t *ldapdb_imp;
95dc3d
-const char *ldapdb_impname = "dynamic-ldap";
95dc3d
+static void
95dc3d
+library_init(void)
95dc3d
+{
95dc3d
+       log_info("bind-dyndb-ldap version " VERSION
95dc3d
+                " compiled at " __TIME__ " " __DATE__
95dc3d
+                ", compiler " __VERSION__);
95dc3d
+       cfg_init_types();
95dc3d
+}
95dc3d
+
95dc3d
+/*
95dc3d
+ * Driver version is called when loading the driver to ensure there
95dc3d
+ * is no API mismatch betwen the driver and the caller.
95dc3d
+ */
95dc3d
+VISIBLE int
95dc3d
+dyndb_version(unsigned int *flags) {
95dc3d
+	UNUSED(flags);
95dc3d
 
95dc3d
+	return (DNS_DYNDB_VERSION);
95dc3d
+}
95dc3d
 
95dc3d
+/*
95dc3d
+ * Driver init is called for each dyndb section in named.conf
95dc3d
+ * once during startup and then again on every reload.
95dc3d
+ *
95dc3d
+ * @code
95dc3d
+ * dyndb example-name "sample.so" { param1 param2 };
95dc3d
+ * @endcode
95dc3d
+ *
95dc3d
+ * @param[in] name        User-defined string from dyndb "name" {}; definition
95dc3d
+ *                        in named.conf.
95dc3d
+ *                        The example above will have name = "example-name".
95dc3d
+ * @param[in] parameters  User-defined parameters from dyndb section as one
95dc3d
+ *                        string. The example above will have
95dc3d
+ *                        params = "param1 param2";
95dc3d
+ * @param[out] instp      Pointer to instance-specific data
95dc3d
+ *                        (for one dyndb section).
95dc3d
+ */
95dc3d
 VISIBLE isc_result_t
95dc3d
-dynamic_driver_init(isc_mem_t *mctx, const char *name, const char * const *argv,
95dc3d
-		    dns_dyndb_arguments_t *dyndb_args)
95dc3d
+dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
95dc3d
+	   const char *file, unsigned long line, const dns_dyndbctx_t *dctx,
95dc3d
+	   void **instp)
95dc3d
 {
95dc3d
-	dns_dbimplementation_t *ldapdb_imp_new = NULL;
95dc3d
+	ldap_instance_t *inst = NULL;
95dc3d
 	isc_result_t result;
95dc3d
+	static isc_once_t library_init_once = ISC_ONCE_INIT;
95dc3d
 
95dc3d
 	REQUIRE(name != NULL);
95dc3d
-	REQUIRE(argv != NULL);
95dc3d
-	REQUIRE(dyndb_args != NULL);
95dc3d
+	REQUIRE(parameters != NULL);
95dc3d
+	REQUIRE(dctx != NULL);
95dc3d
+	REQUIRE(instp != NULL && *instp == NULL);
95dc3d
 
95dc3d
-	log_debug(2, "registering dynamic ldap driver for %s.", name);
95dc3d
+	RUNTIME_CHECK(isc_once_do(&library_init_once, library_init)
95dc3d
+		      == ISC_R_SUCCESS);
95dc3d
 
95dc3d
 	/*
95dc3d
-	 * We need to discover what rdataset methods does
95dc3d
-	 * dns_rdatalist_tordataset use. We then make a copy for ourselves
95dc3d
-	 * with the exception that we modify the disassociate method to free
95dc3d
-	 * the rdlist we allocate for it in clone_rdatalist_to_rdataset().
95dc3d
+	 * Depending on how dlopen() was called, we may not have
95dc3d
+	 * access to named's global namespace, in which case we need
95dc3d
+	 * to initialize libisc/libdns
95dc3d
 	 */
95dc3d
+	if (dctx->refvar != &isc_bind9) {
95dc3d
+		isc_lib_register();
95dc3d
+		isc_log_setcontext(dctx->lctx);
95dc3d
+		dns_log_setcontext(dctx->lctx);
95dc3d
+	}
95dc3d
 
95dc3d
-	/* Register new DNS DB implementation. */
95dc3d
-	result = dns_db_register(ldapdb_impname, &ldapdb_associate, NULL, mctx,
95dc3d
-				 &ldapdb_imp_new);
95dc3d
-	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
95dc3d
-		return result;
95dc3d
-	else if (result == ISC_R_SUCCESS)
95dc3d
-		ldapdb_imp = ldapdb_imp_new;
95dc3d
+	isc_hash_set_initializer(dctx->hashinit);
95dc3d
+
95dc3d
+	log_debug(2, "registering dynamic ldap driver for %s.", name);
95dc3d
 
95dc3d
 	/* Finally, create the instance. */
95dc3d
-	result = manager_create_db_instance(mctx, name, argv, dyndb_args);
95dc3d
+	CHECK(new_ldap_instance(mctx, name, parameters, file, line, dctx,
95dc3d
+				&inst));
95dc3d
+	*instp = inst;
95dc3d
 
95dc3d
+cleanup:
95dc3d
 	return result;
95dc3d
 }
95dc3d
 
95dc3d
+/*
95dc3d
+ * Driver destroy is called for every instance on every reload and then once
95dc3d
+ * during shutdown.
95dc3d
+ *
95dc3d
+ * @param[out] instp Pointer to instance-specific data (for one dyndb section).
95dc3d
+ */
95dc3d
 VISIBLE void
95dc3d
-dynamic_driver_destroy(void)
95dc3d
-{
95dc3d
-	/* Only unregister the implementation if it was registered by us. */
95dc3d
-	if (ldapdb_imp != NULL)
95dc3d
-		dns_db_unregister(&ldapdb_imp);
95dc3d
-
95dc3d
-	destroy_manager();
95dc3d
+dyndb_destroy(void **instp) {
95dc3d
+	destroy_ldap_instance((ldap_instance_t **)instp);
95dc3d
 }
95dc3d
diff --git a/src/ldap_driver.h b/src/ldap_driver.h
95dc3d
index 73c4827..62d50f6 100644
95dc3d
--- a/src/ldap_driver.h
95dc3d
+++ b/src/ldap_driver.h
95dc3d
@@ -19,9 +19,13 @@ typedef struct ldapdb ldapdb_t;
95dc3d
 
95dc3d
 isc_result_t
95dc3d
 ldapdb_create(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
95dc3d
-	      dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
95dc3d
-	      void *driverarg, dns_db_t **dbp) ATTR_NONNULL(1,2,6,8);
95dc3d
+	      dns_rdataclass_t rdclass, void *driverarg, dns_db_t **dbp)
95dc3d
+	      ATTR_NONNULL(1,2,5,6);
95dc3d
 
95dc3d
+isc_result_t
95dc3d
+ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
95dc3d
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
95dc3d
+		 void *driverarg, dns_db_t **dbp) ATTR_NONNULL(1,2,7,8);
95dc3d
 dns_db_t *
95dc3d
 ldapdb_get_rbtdb(dns_db_t *db) ATTR_NONNULLS;
95dc3d
 
95dc3d
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
95dc3d
index ad6e417..a11751d 100644
95dc3d
--- a/src/ldap_helper.c
95dc3d
+++ b/src/ldap_helper.c
95dc3d
@@ -4,7 +4,7 @@
95dc3d
 
95dc3d
 #include "config.h"
95dc3d
 
95dc3d
-#include <dns/dynamic_db.h>
95dc3d
+#include <dns/dyndb.h>
95dc3d
 #include <dns/diff.h>
95dc3d
 #include <dns/journal.h>
95dc3d
 #include <dns/rbt.h>
95dc3d
@@ -42,6 +42,7 @@
95dc3d
 #include <isc/string.h>
95dc3d
 
95dc3d
 #include <isccfg/cfg.h>
95dc3d
+#include <isccfg/grammar.h>
95dc3d
 
95dc3d
 #include <alloca.h>
95dc3d
 #define LDAP_DEPRECATED 1