Review request: DNS server implementation

Matthieu Patou mat at
Tue Oct 12 08:05:02 MDT 2010

On 12/10/2010 17:00, Kai Blin wrote:What is wrong in building a BIND 
plugin and reducing the amount of work
>> to maintain to the minimum necessary for us ?
Well you have to see who is able to maintain the code for this, I had a 
look once a bind to try to fix the wildcard weirdness (see bellow). I 
can clearly affirm that I don't feel comfortable at all to maintain this 
code, from my point of view in the team there is just a couple of 
persons who are able to, I might be wrong.

So if we are relying on already overloaded team member to track bugs and 
update patches, I'm not too confident.

It was interesting at SDC and IO lab to see that tridge had to make more 
patches to bind to make s4 works correctly with different DDNS client 
implementation and with latest specificity of MS implementation when it 
cames of DC to DC dialogs.
I'm pretty sure that when we will start the multi forest work we will 
find a couple of new funny stuff ...

> Ah. I've got a list here.
> 1) Current BIND as shipped by distributions out there don't support
> Kerberos-signed updates the way Windows AD wants it.
> 2) In order to get a version of BIND that suppports the AD features, you
> need to grab BIND from ISC and compile it yourself. Last time I wanted
> to do this (shortly before SDC), they noticed they had some bug in the
> release candidate I needed and pulled the source.
> 3) You need to pay money to get access to the ISC CVS repository, so no
> chances of getting the source there.
> 4) Tridge sent patches to the ISC and didn't receive feedback on their
> status, which meant I spent some fun time playing "where's the patch"
> with the b2 tarball that tridge got from the ISC after mailing them and
> waiting for a couple of weeks.
> 5) Even if you have the right combination of BIND sources and tridge's
> add-on patches, correctly setting this up is pretty painful. I
> personally managed to get this to work once this year, at SambaXP with
> tridge holding my hand for half an hour.
> 6) On the SDC plugfest and on the following AD interop plugfest, none of
> the team members who wanted to set up an AD managed to get this to work
> without tridge helping out. Doesn't look like a model that scales well.
> 7) Debugging BIND/GSSAPI issues is pretty painful unless you have an
> intimate knowledge of Kerberos and BIND.
> 8) The configuration required is different for every distribution. The
> suggestions samba4 provisioning prints out doesn't work on Ubuntu, or
> openSUSE.
> 9) We have no way of figuring out that some BIND update broke this
> pretty fragile setup before it hits our users, as there's no easy way to
> get BIND tested in make test.
> 10) Adding a BIND ldb plugin is possible, but so far there's no way a
> backend plugin can make decisions about who's allowed to do updates to
> what records from the way I understand the code. We could possibly add
> that, but that requires us to play "find the patch" again once we start
> getting this upstream. Also, I can't help to notice that the bind-ldap
> plug-in isn't maintained upstream but out-of-tree.
Just to add a couple of example, due to "broken" wildcard model of bind 
when setuping reverse zone, you need to add this kind of acl:

grant *.TLD wildcard * PTR;

Because for bind a wildcard "*" must be followed by a "." to be valid 
(so *@mydomain.tld don't work), also note that it give the opportunity 
for anyone to set it's reverse ip. Given the fact that it seems that 
some clients are using reverse zone record for canonicalisation within 
kerberos, I'm sure that this kind of failure allow you some neat trick, 
if we can avoid them it could be good ...

Also we have no way to set fined grained ACL, for instance w2k8 server 
and upper wants to record a SRV entry for volume key location, with the 
current bind implementation you can just say: this user can set this 
kind of record or not. So if you allow SRV record for ms-self then 
basically you can set pretty any kind of SRV record such as 
_ldap._tcp.dc._msdcs.mydomain.tld, just lovely !


Matthieu Patou
Samba Team

More information about the samba-technical mailing list