How to get DNS replication working properly?

Sun Jun 24 05:55:28 MDT 2012

On 24/06/2012 12:24, simo wrote:
> On Sun, 2012-06-24 at 12:19 +0100, Mike Howard wrote:
>> On 24/06/2012 12:05, Morten Kramer wrote:
>>> On 06/24/2012 01:01 PM, Andrew Bartlett wrote:
>>>> On Sun, 2012-06-24 at 10:33 +0100, Mike Howard wrote:
>>>>> On 24/06/2012 08:35, Andrew Bartlett wrote:
>>>>>> On Fri, 2012-06-22 at 17:32 +0200, Morten Kramer wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>>
>>>>>>> I've been trying to get DNS replication to work for a few days now.
>>>>>>>
>>>>>>>
>>>>>>> What I've done:
>>>>>>> - Compile Samba (Beta1/Beta2/recent git pull) under Centos 6.2 x64
>>>>>>> Any help will be greatly appreciated!
>>>>>> Could you both please try
>>>>>>
>>>>>> git://git.samba.org/abartlet/samba.git fix-dns-replication
>>>>>>
>>>>>> If you start with that, for a new join, it should do the
>>>>>> replication of
>>>>>> the DNS partitions.  Otherwise, follow the steps you took.
>>>>>>
>>>>>> Please let me know if this works, so I can get this in to master to
>>>>>> assist others.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> I tried the two patches you posted the other day and using the internal
>>>>> dns server got replication to work.
>>>>>
>>>>> There was a minor issue of the secondary dc's details were not added to
>>>>> the primary's dns at all. Easily added manually though. The SOA doesn't
>>>>> include the secondary ns info
>>>>>
>>>>> Thanks for the hard work..
>>>> Thanks for the confirmation!
>>>>
>>>> The reason that the secondary DC isn't enrolled in DNS is that the
>>>> internal DNS server does not support dynamic updates (yet, Kai is still
>>>> working on it).
>>>>
>>>> Andrew Bartlett
>>>>
>>> Interesting,
>>>
>>>
>>> So should I use the internal DNS or Bind DLZ? Does it matter?
>>>
>>>
>> The internal server does not support secure dynamic updates yet, so if
>> you want secure dynamic updates, go with bind_dlz. Linux clients have a
>> hard time with that though, so, if you have linux clients and don't
>> _need_ secure updates, go with samba_internal. Just my opinion of course.
> What problem would Linux clients have ?
>
> In my experience GSS-TSIG updates work just fine.
>
> Simo.
>
Linux clients have a problem with samba dns, not GSS-TSIG. I have 
_always_ used secure ddns updates with linux clients and bind without 
problem. I have _never_ been able to successfully use linux clients and 
secure ddns updates with samba dns. I (along with numerous others) have 
asked here many time about this issue without success. If you know 
otherwise, I really would be grateful for an description of how to get 
linux clients and samba_dlz to play nicely together.
-- 
Any question is easy if you know the answer!