Adding a Forwarding Zone (Bind 9.9.2)

Thu Dec 6 15:02:04 MST 2012

On Fri, Dec 7, 2012 at 8:08 AM, Charles Tryon <charles.tryon at gmail.com>wrote:

> Amitay,
>
>   I tried your branch (as in the git link you sent), and unfortunately,
> I'm getting almost the same error.
>
>   Interesting...  Using the Windows DNS tool, I can create a normal
> domain, and then change the "NS" record, but I still get an error "The
> start of authority (SOA) record cannot be updated.  The record does not
> exist."
>

That's interesting. I will have to test with windows DNS tool to figure out
why it does not see SOA record.

>   <samba:etc>? /usr/local/samba/bin/samba-tool dns zoneinfo samba
> global.local
>   pszZoneName                 : global.local
>   dwZoneType                  : DNS_ZONE_TYPE_PRIMARY
>   fReverse                    : FALSE
>   fAllowUpdate                : DNS_ZONE_UPDATE_SECURE
>   fPaused                     : FALSE
>   fShutdown                   : FALSE
>   fAutoCreated                : FALSE
>   fUseDatabase                : TRUE
>   pszDataFile                 : None
>   aipMasters                  : []
>   fSecureSecondaries          : DNS_ZONE_SECSECURE_NO_XFER
>   fNotifyLevel                : DNS_ZONE_NOTIFY_LIST_ONLY
>   aipSecondaries              : []
>   aipNotify                   : []
>   fUseWins                    : FALSE
>   fUseNbstat                  : FALSE
>   fAging                      : FALSE
>   dwNoRefreshInterval         : 168
>   dwRefreshInterval           : 168
>   dwAvailForScavengeTime      : 0
>   aipScavengeServers          : []
>   dwRpcStructureVersion       : 0x2
>   dwForwarderTimeout          : 0
>   fForwarderSlave             : 0
>   aipLocalMasters             : []
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.usa.om.org
>   pwszZoneDn                  :
> DC=global.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=usa,DC=om,DC=org
>   dwLastSuccessfulSoaCheck    : 0
>   dwLastSuccessfulXfr         : 0
>   fQueuedForBackgroundLoad    : FALSE
>   fBackgroundLoadInProgress   : FALSE
>   fReadOnlyZone               : FALSE
>   dwLastXfrAttempt            : 0
>   dwLastXfrResult             : 0
>
>
> I also tried this Microsoft page for adding a forwarder:
>     http://technet.microsoft.com/en-us/library/cc773370%28v=ws.10%29.aspx
>
> This also gave me the error: "The server forwarders cannot be updated.
>  This function is not supported on this system."
>
> (Probably just as well, since I suspect this is a different forwarding
> function than what I'm looking for...)
>
>
DNS RPC server implementation in samba4 currently supports creation of
primary zone.  It does not allow setting up of forwarders since that
information is not stored in the AD database. We can support it in future
if we have a consistent way to configure forwarder for internal dns server
and BIND DLZ.

Amitay.

>
> On Thu, Dec 6, 2012 at 12:25 AM, Amitay Isaacs <amitay at gmail.com> wrote:
>
>>
>> On Thu, Dec 6, 2012 at 9:22 AM, Amitay Isaacs <amitay at gmail.com> wrote:
>>
>>> Hi Charles,
>>>
>>> On Thu, Dec 6, 2012 at 5:51 AM, Charles Tryon <charles.tryon at gmail.com>wrote:
>>>
>>>> I am trying to set up the DNS on my Samba4 system to forward requests
>>>> for a
>>>> different zone to another server.  I can create the empty zone, but then
>>>> can't figure out how to create a SOA record in the zone.  This is on a
>>>> fairly new CentOS base server, running the latest version (9.9.2) of
>>>> Bind,
>>>> with the original tables set up using the Samba3/Samba4 migration
>>>> process
>>>> (as of maybe 6 months ago, back in the Beta releases).  I'm running a
>>>> recent version of Samba4 from Git Version (4.1.0pre1-GIT-2ad5620)
>>>>
>>>> The main zone for this domain is mydomain.com.  I have another DNS
>>>> server
>>>> (running on a different Win2008R2 AD controller) which is authoritative
>>>> for
>>>> the domain "global.local".  I would like to forward requests which come
>>>> into my Bind server referencing the global.local domain to get
>>>> forwarded to
>>>> the other controller.
>>>>
>>>> I'm no DNS wizard so I'm not even sure I have the terminology right,
>>>> but my
>>>> understanding is that the old way to do it would be to add a zone
>>>> definition (of type "forward") into the named.conf file, and then
>>>> supply a
>>>> forward to IP.
>>>>
>>>
>>> Yes. That's the easiest option. You can add following entry in your
>>> named.conf.
>>>
>>> zone "global.local" IN {
>>>     type "forward";
>>>     forwarders { ip.address.of.dns-server; };
>>> };
>>>
>>> This should tell BIND to forward all the queries for domain global.local
>>> to ip.address.of.dns-server.
>>>
>>>
>>>> I've looked through posts in this group, and what I've seen so far is
>>>> that
>>>> you either use the "Windows Way" and use the MS RSA tools and the DNS
>>>> "Add
>>>> Domain" wizard, or you do it on the command line with the samba-tool dns
>>>> commands, first creating an empty domain and then adding an "@" record
>>>> or
>>>> SOA.
>>>>
>>>> The MS DNS tool, running on a Win7 client added to the domain (logged in
>>>> with a user in the DnsAdmins group) lets me get up to the point where I
>>>> create a "Secondary zone", and then add the IP address for the DNS
>>>> server.
>>>>  However, when I enter the IP (and it comes back with the correct
>>>> FQDN), it
>>>> tells me:
>>>>
>>>>       Validation Error, please try later.
>>>>
>>>> If I hit Next, it gives me the error:
>>>>
>>>>       The zone cannot be created.
>>>>       This function is not supported on this system.
>>>>
>>>> Does this sound like an incompatibility between the MS tools and the
>>>> Bind
>>>> 9.9 tools?  Or, is there something that needs to be changed on the
>>>> other MS
>>>> Windows DNS controller to allow forwarded queries?
>>>>
>>>>
>>> I will have to check why this doesn't work. May be it's using some
>>> additional RPC call which is not implemented. When you try to add secondary
>>> zone via MS DNS tool, can you check if there is anything in the logs that
>>> would give indication of why it's not working?
>>>
>>>
>>>> Approaching from the command line (where I'm always more comfortable
>>>> anyway...), I can create the empty zone with the samba-tool dns zoneadd
>>>> command, but I have not yet found any instructions on how to change that
>>>> into a secondary zone, or point the SOA.
>>>>
>>>> Ideas?  Pointers to Wikis?
>>>>
>>>
>>> This has been reported by others. The code to add SOA record is
>>> currently missing and needs to be added. Patches welcome. ;-)
>>>
>>>
>>
>> After looking at the code I found a bug in handling of SOA records. The
>> fixed code is available in my dns-wip branch if you would like to try it.
>>
>> When you create a new zone, SOA and NS entries for @ record are filled in
>> automatically.  With the changes in dns-wip branch now you can update SOA
>> record using samba-tool dns command.
>>
>> Git repo: git://git.samba.org/amitay/samba.git
>> Git web:
>> https://git.samba.org/?p=amitay/samba.git;a=shortlog;h=refs/heads/dns-wip
>>
>> Amitay.
>>
>
>
>
> --
>     Charles Tryon
> _________________________________________________________________________
>   “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
>                 - Ralph D. Winter
>
>