[cifs-protocol] authority section return for unknown replies

tridge at samba.org tridge at samba.org
Mon Dec 20 17:07:22 MST 2010

Windows DNS servers return an AUTHORITY section pointing at the
authoritative DNS server when looking up a name that doesn't
exist. We'd like to know if this is important for correct operation
with Windows clients.

For example, if I lookup unknown.v2.tridgell.net:

tridge at blu:~/$ dig @ -t A unknown.v2.tridgell.net.

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29547
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;unknown.v2.tridgell.net.       IN      A

v2.tridgell.net.        3600    IN      SOA     w2k8.v2.tridgell.net. hostmaster.v2.tridgell.net. 689 900 600 25200 3600

In the above, w2k8.v2.tridgell.net is a w2k8r2 DNS server and DC. 

A bind9 server, which we are using for DNS in Samba, doesn't do this,
and we would like to know if this will cause any problems.

We suspect this relates to how Windows clients find the DNS server to
do dynamic updates to. A windows client will first look for its own
name in the above manner, and seems to use the authority reply to
determine where to send the update. When we don't give the authority
reply, windows clients seem to fall back on a different mechanism, but
we would like to know that the alternative mechanism is reliable.

We suspect this is related to the way that Windows servers virtualise
the SOA record, so that each DC returns a SOA record pointing at
itself, even when the underlying LDAP record points at a different

Is this SOA behaviour and AUTHORITY behaviour documented in WSPP
anywhere? We couldn't find it.

Cheers, Tridge

More information about the cifs-protocol mailing list