[Samba] Inconsistent SOA records from different Samba AD-DC DNS servers

Sun Mar 31 15:09:34 UTC 2024

Hi all,

I am experiencing strange behaviour regarding DNS resolution with my
samba-driven AD.

This is with Debian-packaged samba on raspberry Pi:
# samba -V
Version 4.19.5-Debian
# uname -a
Linux dc3.ad.mydomain.tld 6.1.0-rpi8-rpi-v8 #1 SMP PREEMPT Debian
1:6.1.73-1+rpt1 (2024-01-25) aarch64 GNU/Linux

I would expect that every DNS server of the domain would respond with
the same SOA record. But with Samba AD-DC integrated Bind9 it does not.
Each DNS server responds with its own node being the SOA:

# host -t SOA ad.mydomain.tld dc1
Using domain server:
Name: dc1
Address: 10.88.1.8#53
Aliases:

ad.mydomain.tld has SOA record dc1.ad.mydomain.tld.
hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600

# host -t SOA ad.mydomain.tld dc2
Using domain server:
Name: dc2
Address: 10.88.1.9#53
Aliases:

ad.mydomain.tld has SOA record dc2.ad.mydomain.tld.
hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600

# host -t SOA ad.mydomain.tld dc3
Using domain server:
Name: dc3
Address: 10.88.1.10#53
Aliases:

ad.mydomain.tld has SOA record dc3.ad.mydomain.tld.
hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600

When querying each DC with samba-tool I always get the the same
response, pointing to the DC that has all fsmo roles, which I expect:

# samba-tool dns query dc3 ad.mydomain.tld ad.mydomain.tld SOA|grep SOA
     SOA: serial=49776, refresh=900, retry=600, expire=86400,
minttl=3600, ns=dc1.ad.mydomain.tld., email=hostmaster.ad.mydomain.tld.
(flags=600000f0, serial=49775, ttl=3600)
# samba-tool dns query dc1 ad.mydomain.tld ad.mydomain.tld SOA|grep SOA
     SOA: serial=49776, refresh=900, retry=600, expire=86400,
minttl=3600, ns=dc1.ad.mydomain.tld., email=hostmaster.ad.mydomain.tld.
(flags=600000f0, serial=49775, ttl=3600)
# samba-tool dns query dc2 ad.mydomain.tld ad.mydomain.tld SOA|grep SOA
     SOA: serial=49776, refresh=900, retry=600, expire=86400,
minttl=3600, ns=dc1.ad.mydomain.tld., email=hostmaster.ad.mydomain.tld.
(flags=600000f0, serial=49775, ttl=3600)

I also notice that the serial number between DNS and samba-tool
responses is one off: 49776 vs 49775 .

Is something broken with Bind9-DLZ?

regards, Norbert