DLZ not loading all DNS zones

[Amitay Isaacs]

Hi Samuel,

On Thu, Feb 7, 2013 at 4:24 AM, Samuel Cabrero Alamán
<scabrero at zentyal.com>wrote:

> Hello,
>
> we have found a environment where the AD DNS zone is stored in
> CN=MicrosoftDNS,CN=System,.... The bind9 DLZ was not able to load it
> because not all files inside private/dns/sam.ldb.d/ are hard links to
> private/sam.ldb.d/. After hard linking all of them by hand the DLZ
> successfully loaded all DNS zones, but the wiki (
> https://wiki.samba.org/index.php/DNS#A_note_on_DNS_problems) only
> mentions that just two of them should be hard linked, DomainDnzZones and
> ForestDnsZones. Is it correct to hard link all of them?
>
>
Since the main domain partition contains critical information about the
domain, that partition should not really be hard-linked.  The provision
code actually creates a partial copy of domain partition which only
contains entries which are required for parsing DNS partitions. This
particular solution was envisaged to prevent access by BIND to the critical
AD information.  And in this scenario, it is assumed that the DNS
information is stored in DNS partitions and not in the main domain
partition.

There are few choices here:

1. Use internal DNS server instead of BIND9 + DLZ module. This depends on
your DNS setup and may not be suitable for sophisticated setups.

2. Migrate DNS information to DNS partitions from domain partition.  This
would be ideal, since that would allow you to continue using DNS set up and
isolate BIND from accessing domain information. (Unfortunately, there is no
tool in samba to do that yet.)

3. Link domain partition, so BIND can access complete domain partition and
access DNS data. This solution will definitely work, but at the cost of
exposing domain information to BIND and also to BIND gid if you are not
running named as root and have changed the group of domain partition file.

If choice 3 suits you best, then you can continue to do so.

Amitay.