[cifs-protocol] [REG:110122106325012] [MS-DNSP] Documentation for DNS_TYPE_ZERO (was "strange records in DNS LDAP NCs")
bburgin at microsoft.com
Tue Jan 4 15:27:48 MST 2011
Thx. I had follow-up observations:
[MS-DNSP] 126.96.36.199.5 "DNS_RPC_RECORD" Buffer has Value: DNS_TYPE_ZERO 0x0000 with the meaning DNS_RPC_RECORD_TS.
188.8.131.52.4.23 "DNS_RPC_RECORD_TS" specifies "information for a node that has been tombstoned. EntombedTime (8 bytes): The unsigned integer value for the time-stamp at which this node was tombstoned.", which is a "time stamp: An integer value representing the number of hours that have elapsed since midnight (00:00:00), January 1, 1601 UTC".
That does not seem to match the value you supplied as a sample "40 47 30 F4 9F A0 CB 01" by a longshot. However, I also see this note in MS-DNSP's Glossary: "tombstone: An inactive DNS node which is not considered to be part of a DNS zone but has not yet been deleted from the zone database in the directory server. Tombstones may be permanently deleted from the zone once they reach a certain age. Tombstones are not used for DNS zones that are not stored in the directory server. A node is a tombstone if its dnsTombstoned attribute has been set to "TRUE"." I'm hypothesizing that perhaps dnsTombstoned is FALSE in this case and that the space that would contain EntombedTime is garbage in the example you provided. Is this possible?
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, January 04, 2011 2:15 PM
To: Bryan Burgin
Cc: 'tridge at samba.org'; 'cifs-protocol at samba.org'; MSSolve Case Email
Subject: RE: [REG:110122106325012] [MS-DNSP] Documentation for DNS_TYPE_ZERO (was "strange records in DNS LDAP NCs")
On Tue, 2011-01-04 at 17:36 +0000, Bryan Burgin wrote:
> Hi Tridge,
> Happy new year. I'm checking to see if you had any additional feedback on this or if you received the information you needed.
I think you are misunderstanding the context here. We have found these records in Active Directory, in the DNS application naming contexts:
Andrew Tridgell wrote:
> There are a few aspects of the Windows DNS NCs that are puzzling us:
> 1) we see records like this:
> dn: DC=..SerialNo-W2K8R2B.v2.tridgell.net,DC=v2.tridgell.net,CN=MicrosoftDNS,DC=DomainDnsZones,DC=v2,DC=tridgell,DC=net
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0008 (8)
> wType : DNS_TYPE_ZERO (0)
> dwFlags : 0x00000005 (5)
> dwSerial : 0x000002b1 (689)
> dwTtlSeconds : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> dwReserved : 0x00000000 (0)
> data : union dnsRecordData(case 0)
> data : DATA_BLOB length=8
>  40 47 30 F4 9F A0 CB 01 @G0.....
> what are they for? What is in that 8 bytes of data? What is the significance of the "..SerialNo-HOSTNAME" records?
> The MS-DNSP doc says:
> DNS_TYPE_ZERO An empty record type (section 3.6 in [RFC1034] and section 3.2.2 in [RFC1035]).
> which isn't very useful!
> 2) what is the dwReserved field in all the dnsNode records? The MS-DNSP doc says:
> dwReserved: This value MUST be set to 0x00000000 when sent by the client and ignored on
> receipt by the server.
> but that makes no sense. These are fields that are sent by the LDAP or
> DRS server in response to queries. The values are far too consistent
> to be random.
> Note that we are not asking about the DNS RPC protocol that MS-DNSP
> concentrates on. In our case Samba is a DC that is replicating the DNS
> NCs with Microsoft DCs. We need to know how to fill in these fields
> when we create records that will be replicated to MS DNS servers via
> Cheers, Tridge
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the cifs-protocol