Adding a Forwarding Zone (Bind 9.9.2)
Charles Tryon
charles.tryon at gmail.com
Thu Dec 6 14:27:34 MST 2012
FWIW, here is the rest of my config file (with some of the IP addresses
changed).
options {
listen-on port 53 { localhost; 10.4.2.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 10.4.0.0/22; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
auth-nxdomain no;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
# Zone to resolve global.local domain
zone "global.local" IN {
type forward;
forwarders { 10.4.0.1; };
};
include "/usr/local/samba/private/named.conf";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
On Thu, Dec 6, 2012 at 4:08 PM, Charles Tryon <charles.tryon at gmail.com>wrote:
> Amitay,
>
> I tried your branch (as in the git link you sent), and unfortunately,
> I'm getting almost the same error.
>
> Interesting... Using the Windows DNS tool, I can create a normal
> domain, and then change the "NS" record, but I still get an error "The
> start of authority (SOA) record cannot be updated. The record does not
> exist."
>
> <samba:etc>? /usr/local/samba/bin/samba-tool dns zoneinfo samba
> global.local
> pszZoneName : global.local
> dwZoneType : DNS_ZONE_TYPE_PRIMARY
> fReverse : FALSE
> fAllowUpdate : DNS_ZONE_UPDATE_SECURE
> fPaused : FALSE
> fShutdown : FALSE
> fAutoCreated : FALSE
> fUseDatabase : TRUE
> pszDataFile : None
> aipMasters : []
> fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
> fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
> aipSecondaries : []
> aipNotify : []
> fUseWins : FALSE
> fUseNbstat : FALSE
> fAging : FALSE
> dwNoRefreshInterval : 168
> dwRefreshInterval : 168
> dwAvailForScavengeTime : 0
> aipScavengeServers : []
> dwRpcStructureVersion : 0x2
> dwForwarderTimeout : 0
> fForwarderSlave : 0
> aipLocalMasters : []
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.usa.om.org
> pwszZoneDn :
> DC=global.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=usa,DC=om,DC=org
> dwLastSuccessfulSoaCheck : 0
> dwLastSuccessfulXfr : 0
> fQueuedForBackgroundLoad : FALSE
> fBackgroundLoadInProgress : FALSE
> fReadOnlyZone : FALSE
> dwLastXfrAttempt : 0
> dwLastXfrResult : 0
>
>
> I also tried this Microsoft page for adding a forwarder:
> http://technet.microsoft.com/en-us/library/cc773370%28v=ws.10%29.aspx
>
> This also gave me the error: "The server forwarders cannot be updated.
> This function is not supported on this system."
>
> (Probably just as well, since I suspect this is a different forwarding
> function than what I'm looking for...)
>
>
>
>
>
> On Thu, Dec 6, 2012 at 12:25 AM, Amitay Isaacs <amitay at gmail.com> wrote:
>
>>
>> On Thu, Dec 6, 2012 at 9:22 AM, Amitay Isaacs <amitay at gmail.com> wrote:
>>
>>> Hi Charles,
>>>
>>> On Thu, Dec 6, 2012 at 5:51 AM, Charles Tryon <charles.tryon at gmail.com>wrote:
>>>
>>>> I am trying to set up the DNS on my Samba4 system to forward requests
>>>> for a
>>>> different zone to another server. I can create the empty zone, but then
>>>> can't figure out how to create a SOA record in the zone. This is on a
>>>> fairly new CentOS base server, running the latest version (9.9.2) of
>>>> Bind,
>>>> with the original tables set up using the Samba3/Samba4 migration
>>>> process
>>>> (as of maybe 6 months ago, back in the Beta releases). I'm running a
>>>> recent version of Samba4 from Git Version (4.1.0pre1-GIT-2ad5620)
>>>>
>>>> The main zone for this domain is mydomain.com. I have another DNS
>>>> server
>>>> (running on a different Win2008R2 AD controller) which is authoritative
>>>> for
>>>> the domain "global.local". I would like to forward requests which come
>>>> into my Bind server referencing the global.local domain to get
>>>> forwarded to
>>>> the other controller.
>>>>
>>>> I'm no DNS wizard so I'm not even sure I have the terminology right,
>>>> but my
>>>> understanding is that the old way to do it would be to add a zone
>>>> definition (of type "forward") into the named.conf file, and then
>>>> supply a
>>>> forward to IP.
>>>>
>>>
>>> Yes. That's the easiest option. You can add following entry in your
>>> named.conf.
>>>
>>> zone "global.local" IN {
>>> type "forward";
>>> forwarders { ip.address.of.dns-server; };
>>> };
>>>
>>> This should tell BIND to forward all the queries for domain global.local
>>> to ip.address.of.dns-server.
>>>
>>>
>>>> I've looked through posts in this group, and what I've seen so far is
>>>> that
>>>> you either use the "Windows Way" and use the MS RSA tools and the DNS
>>>> "Add
>>>> Domain" wizard, or you do it on the command line with the samba-tool dns
>>>> commands, first creating an empty domain and then adding an "@" record
>>>> or
>>>> SOA.
>>>>
>>>> The MS DNS tool, running on a Win7 client added to the domain (logged in
>>>> with a user in the DnsAdmins group) lets me get up to the point where I
>>>> create a "Secondary zone", and then add the IP address for the DNS
>>>> server.
>>>> However, when I enter the IP (and it comes back with the correct
>>>> FQDN), it
>>>> tells me:
>>>>
>>>> Validation Error, please try later.
>>>>
>>>> If I hit Next, it gives me the error:
>>>>
>>>> The zone cannot be created.
>>>> This function is not supported on this system.
>>>>
>>>> Does this sound like an incompatibility between the MS tools and the
>>>> Bind
>>>> 9.9 tools? Or, is there something that needs to be changed on the
>>>> other MS
>>>> Windows DNS controller to allow forwarded queries?
>>>>
>>>>
>>> I will have to check why this doesn't work. May be it's using some
>>> additional RPC call which is not implemented. When you try to add secondary
>>> zone via MS DNS tool, can you check if there is anything in the logs that
>>> would give indication of why it's not working?
>>>
>>>
>>>> Approaching from the command line (where I'm always more comfortable
>>>> anyway...), I can create the empty zone with the samba-tool dns zoneadd
>>>> command, but I have not yet found any instructions on how to change that
>>>> into a secondary zone, or point the SOA.
>>>>
>>>> Ideas? Pointers to Wikis?
>>>>
>>>
>>> This has been reported by others. The code to add SOA record is
>>> currently missing and needs to be added. Patches welcome. ;-)
>>>
>>>
>>
>> After looking at the code I found a bug in handling of SOA records. The
>> fixed code is available in my dns-wip branch if you would like to try it.
>>
>> When you create a new zone, SOA and NS entries for @ record are filled in
>> automatically. With the changes in dns-wip branch now you can update SOA
>> record using samba-tool dns command.
>>
>> Git repo: git://git.samba.org/amitay/samba.git
>> Git web:
>> https://git.samba.org/?p=amitay/samba.git;a=shortlog;h=refs/heads/dns-wip
>>
>> Amitay.
>>
>
>
>
> --
> Charles Tryon
> _________________________________________________________________________
> “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
> - Ralph D. Winter
>
>
--
Charles Tryon
_________________________________________________________________________
“Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
- Ralph D. Winter
More information about the samba-technical
mailing list