我现在碰到这么个棘手的问题：公司网络里有Bind9 DNS服务器，但没有搭建实际的域环境。我装了FreeIPA服务器后，配置了和Bind9里DNS区域同名的域，现在想把现有DNS区域迁移到FreeIPA做主服务器，让旧Bind9当从服务器，却卡在了把Bind区域文件转换成LDIF导入FreeIPA这一步。

我找了些在线脚本，要么版本太老没法用，要么用pdns_zone2ldap工具的时候直接报错。折腾好几天了，感觉自己是不是漏了什么简单的办法，有没有过来人给指个方向？

补充报错信息 #

用pdns_zone2ldap执行转换时的报错：

pdns_zone2ldap --named-conf=/etc/named.conf --zone-file=company.net.zone --zone-name=company.net --verbose=yes
Fatal error: Error in bind configuration '/etc/named.conf' on line 37: syntax error

对应的/etc/named.conf配置内容：

/* WARNING: This config file is managed by IPA.
 *
 * DO NOT MODIFY! Any modification will be overwritten by upgrades.
 *
 *
 * - /etc/named/ipa-options-ext.conf (for options)
 * - /etc/named/ipa-logging-ext.conf (for logging options)
 * - /etc/named/ipa-ext.conf (all other settings)
 */

options {
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        tkey-gssapi-keytab "/etc/named.keytab";

        pid-file "/run/named/named.pid";

        managed-keys-directory "/var/named/dynamic";

        /* user customizations of options */
        include "/etc/named/ipa-options-ext.conf";

        /* crypto policy snippet on platforms with system-wide policy. */
        include "/etc/crypto-policies/back-ends/bind.config";
};

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the /var/named directory,
 * so put the default debug log file in data/ :
 */
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
                print-time yes;
        };
        include "/etc/named/ipa-logging-ext.conf";
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

/* user customization */
include "/etc/named/ipa-ext.conf";

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
        uri "ldapi://%2fvar%2frun%2fslapd-company-NET.socket";
        base "cn=dns,dc=company,dc=net";
        server_id "servername.company.net";
        auth_method "sasl";
        sasl_mech "EXTERNAL";
        krb5_keytab "FILE:/etc/named.keytab";
};

可行的解决思路 #

1. 先解决pdns_zone2ldap的语法错误
   看报错指向的第37行是dyndb区块，这是FreeIPA给Bind添加的扩展模块配置，pdns_zone2ldap这类第三方工具大概率不支持这个语法。你可以临时复制一份named.conf，删掉整个dyndb配置段，再用修改后的配置文件重新执行转换命令试试。

2. 优先用FreeIPA官方导入工具（最推荐）
   其实FreeIPA自带了专门的DNS区域导入命令ipa dnszone-import，完全不需要手动转LDIF，官方工具兼容性拉满。用法很简单：

   # 先做 dry-run 测试，不会实际修改数据
   ipa dnszone-import company.net --file=company.net.zone --dry-run
   # 测试没问题再执行实际导入
   ipa dnszone-import company.net --file=company.net.zone
   

   这个命令直接兼容标准Bind格式的zone文件，不管是A记录、SRV记录还是TXT记录都能正确识别导入。

3. 完成导入后的主从配置收尾
   导入成功后，你需要在FreeIPA的DNS区域设置里，把Bind9服务器的IP添加到允许区域传输的服务器列表；然后在Bind9的配置里，把原来的company.net zone改成slave类型，指向FreeIPA服务器的IP作为主服务器，示例配置如下：

   zone "company.net" IN {
       type slave;
       file "slaves/company.net.zone";
       masters { <FreeIPA服务器IP>; };
   };
   

备注：内容来源于stack exchange，提问作者Alexander Wryn