[Samba] Inconsistent SOA records from different Samba AD-DC DNS servers

Rowland Penny rpenny at samba.org
Sun Mar 31 16:02:24 UTC 2024 

On Sun, 31 Mar 2024 17:09:34 +0200
Norbert Hanke via samba <samba at lists.samba.org> wrote:

> Hi all,
> 
> I am experiencing strange behaviour regarding DNS resolution with my
> samba-driven AD.
> 
> This is with Debian-packaged samba on raspberry Pi:
> # samba -V
> Version 4.19.5-Debian
> # uname -a
> Linux dc3.ad.mydomain.tld 6.1.0-rpi8-rpi-v8 #1 SMP PREEMPT Debian
> 1:6.1.73-1+rpt1 (2024-01-25) aarch64 GNU/Linux
> 
> I would expect that every DNS server of the domain would respond with
> the same SOA record. But with Samba AD-DC integrated Bind9 it does
> not. Each DNS server responds with its own node being the SOA:
> 
> # host -t SOA ad.mydomain.tld dc1
> Using domain server:
> Name: dc1
> Address: 10.88.1.8#53
> Aliases:
> 
> ad.mydomain.tld has SOA record dc1.ad.mydomain.tld.
> hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600
> 
> # host -t SOA ad.mydomain.tld dc2
> Using domain server:
> Name: dc2
> Address: 10.88.1.9#53
> Aliases:
> 
> ad.mydomain.tld has SOA record dc2.ad.mydomain.tld.
> hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600
> 
> # host -t SOA ad.mydomain.tld dc3
> Using domain server:
> Name: dc3
> Address: 10.88.1.10#53
> Aliases:
> 
> ad.mydomain.tld has SOA record dc3.ad.mydomain.tld.
> hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600
> 
> 
> When querying each DC with samba-tool I always get the the same
> response, pointing to the DC that has all fsmo roles, which I expect:
> 
> # samba-tool dns query dc3 ad.mydomain.tld ad.mydomain.tld SOA|grep
> SOA SOA: serial=49776, refresh=900, retry=600, expire=86400,
> minttl=3600, ns=dc1.ad.mydomain.tld.,
> email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775,
> ttl=3600) # samba-tool dns query dc1 ad.mydomain.tld ad.mydomain.tld
> SOA|grep SOA SOA: serial=49776, refresh=900, retry=600, expire=86400,
> minttl=3600, ns=dc1.ad.mydomain.tld.,
> email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775,
> ttl=3600) # samba-tool dns query dc2 ad.mydomain.tld ad.mydomain.tld
> SOA|grep SOA SOA: serial=49776, refresh=900, retry=600, expire=86400,
> minttl=3600, ns=dc1.ad.mydomain.tld.,
> email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775,
> ttl=3600)
> 
> I also notice that the serial number between DNS and samba-tool
> responses is one off: 49776 vs 49775 .
> 
> Is something broken with Bind9-DLZ?

Simple answer, no.

Full answer, Active directory uses what is known as multi-master when
it comes to DNS. The DNS records are stored in AD and each DC is
authoritative for the DNS domain and, as such, they are all SOAs (Start
Of Authority), so no, nothing is broken.

Rowland

More information about the samba mailing list