ForestDnsZones partition and TrustAnchors zone problem

Amitay Isaacs amitay at gmail.com
Mon Oct 1 21:14:36 MDT 2012 

Hi Matthieu/Samuel,

On Tue, Oct 2, 2012 at 11:37 AM, Matthieu Patou <mat at samba.org> wrote:
> On 10/01/2012 03:35 PM, Samuel Cabrero wrote:
>>
>> Hi,
>>
>> I have found a problem related to the ForestDnsZones partition replication
>> when using BIND9_DLZ as backend in samba4 rc1.
>>
>> If the "TrustAnchors" zone exists in the windows server, it is replicated
>> to samba4 and named daemon exits with the following error when trying to
>> load it:
>>
>> named[10704]: samba_dlz: Failed to configure zone '..TrustAnchors'
>> named[10704]: loading configuration: empty label
>> named[10704]: exiting (due to fatal error)
>>
>> As soon the zone is deleted in the windows server (dnscmd /zonedelete
>> TrustAnchors /DsDel) and the change is replicated to samba, named starts
>> without problems.
>>
>> This issue is more annoying than it seems because this TrustAnchors zone
>> is automatically created each time that the server properties window is
>> opened in the windows DNS management tool. If you right click in the server
>> name and select properties, then select the Trust Anchors tab and click Ok
>> button without make any changes, the zone is created again, replicated to
>> samba4 and the problem is back.
>>
>> I don't know if it is related, but the zone have two dots prepended to the
>> name when replicated to samba:
>>
>> root at s4dc1:/home/zen# samba-tool dns zonelist s4dc1.kernevil.lan
>>   3 zone(s) found
>>
>>   pszZoneName                 : kernevil.lan
>>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>   Version                     : 50
>>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>>   pszDpFqdn                   : DomainDnsZones.kernevil.lan
>>
>>   pszZoneName                 : _msdcs.kernevil.lan
>>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>   Version                     : 50
>>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>>   pszDpFqdn                   : ForestDnsZones.kernevil.lan
>>
>>   pszZoneName                 : ..TrustAnchors
>>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>   Version                     : 50
>>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>>   pszDpFqdn                   : ForestDnsZones.kernevil.lan
>>
>>
>> root at s4dc1:/home/zen# samba-tool dns zonelist windc1.kernevil.lan
>>   3 zone(s) found
>>
>>   pszZoneName                 : _msdcs.kernevil.lan
>>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>   Version                     : 50
>>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>>   pszDpFqdn                   : ForestDnsZones.kernevil.lan
>>
>>   pszZoneName                 : kernevil.lan
>>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>   Version                     : 50
>>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>>   pszDpFqdn                   : DomainDnsZones.kernevil.lan
>>
>>   pszZoneName                 : TrustAnchors
>>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>   Version                     : 50
>>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>>   pszDpFqdn                   : ForestDnsZones.kernevil.lan


Since we are not interpreting any records in ..TrustAnchors zone yet,
that zone can be ignored by DLZ plugin and also by RPC dnsserver.
samba-tool dns commands work against the RPC dnsserver.


> I did a small search on my server and I have this:
>
> ./bin/ldbsearch -H ldap://172.16.100.49 -Uadministrator%totoTATA123 -b
> DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net dn  | grep -i trust
> dn:
> DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
> dn:
> DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
> mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
> 172.16.100.49
> Password for [WORKGROUP\mat]:
> Interrupted by signal.
> mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
> 172.16.100.49   -Uadministrator%totoTATA123
>   3 zone(s) found
>
>   pszZoneName                 : _msdcs.w2k12.home.matws.net
>
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.w2k12.home.matws.net
>
>
>   pszZoneName                 : TrustAnchors
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.w2k12.home.matws.net
>
>   pszZoneName                 : w2k12.home.matws.net
>
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.w2k12.home.matws.net
>
>
> The server is Windows 2012 server, so it means that in the database the
> record are saved in the ..TrustAnchors format but that windows in returning
> them cleaned.
>
>
>> I would be happy to provide as much debug info as you need to help to
>> solve this issue.
>>
> Can you try to create another zone with the windows tools (ie foobar.lan)
> wait for it to be replicated to samba and then restart bind.
>
> If everything is ok then it means that we "just" to have to skip the
> trustanchors from being loaded + fix the samba-tool dns output.

The patches for DLZ and RPC dnsserver are in the master branch and are
also attached with this email.

    http://git.samba.org/amitay/?p=amitay/samba.git;a=summary

Samuel, can you test with the patches and confirm that BIND does not crash?

Thanks.

Amitay.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-dns-dlz_bind9-Ignore-zones-that-are-not-used-by-B.patch
Type: application/octet-stream
Size: 964 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/8521a222/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-rpc-dnsserver-Ignore-DNS-zones-that-are-not-used-.patch
Type: application/octet-stream
Size: 1051 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/8521a222/attachment-0003.obj>

More information about the samba-technical mailing list