DNS updates using nsupdate are not working!

Rowland Penny repenny241155 at gmail.com
Fri Sep 12 08:58:09 MDT 2014 

On 12/09/14 15:32, Andreas Schneider wrote:
> On Friday 12 September 2014 12:09:36 Rowland Penny wrote:
>> On 12/09/14 09:40, Andreas Schneider wrote:
>>> Hello,
>>>
>>> I'm trying to get samba_dnsupdate working but I can't. Nobody has time to
>>> explain me how the DNS stuff works. So now I'm moving the ball to you!
>>>
>>> It looks like the SOA record in the DNS server is wrong! The 'nsupdate'
>>> command from bind-utils 9.9.5 is not able to update records cause querying
>>> the SOA record returns a result nsupdate isn't able to parse.
>>>
>>> Reproducer:
>>>
>>> 1. Get socket_wrapper from:
>>>      http://git.cryptomilk.org/projects/socket_wrapper.git/log/?h=fix
>>>      (This implements fnctl(fd, F_DUPFD, ...) needed by nsupdate)
>>>
>>> 2. Compile and install it, see README.install
>>>
>>>      (mkdir mybuilddir
>>> 	
>>> 	 cd mybuildir
>>> 	
>>>       cmake -DCMAKE_INSTALL_PREFIX=/usr -DLIB_SUFFIX=64 /path/to/source)
>>>
>>> 3. Compile Samba master git tree
>>> 4. Run 'make testenv SAMBA_OPTIONS=-d10'
>>> 5. Call 'SOCKET_WRAPPER_PCAP_FILE=nsupdate.pcap nsupdate -g'
>>>
>>>      server 127.0.0.21
>>>      update add wurst.samba.example.com. 900 AAAA fd00::5357:5f20
>>>      show
>>>      send
>>>
>>> You can inspect server logs and the pcap file now and see it yourself!
>>>
>>>
>>> Regards,
>>>
>>> 	-- andreas
>> This seems really strange posting this in reply to a post from one of
>> the samba devs, but I run a Samba4 AD DC on Debian 7.5 with bind9.9.5
>> and I have no problem in using nsupdate to update the DNS records. What
>> I did notice and it is probably a typo, is that your server is
>> 127.0.0.21 not 127.0.0.1
> 127.0.0.21 is the IP of the DC in 'make test'.
Ah, but you never mentioned that you were using bind etc in a test 
environment. you just basically said bind9.9.5 couldn't update samba4 dns.

>
> Windows 2008:
>
> asn at magrathea:~> dig -t SOA discworld.site

Hmm, I suspect a science fiction fan here ;-)

> ; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> -t SOA discworld.site
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31776
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;discworld.site.                        IN      SOA
>
> ;; ANSWER SECTION:
> discworld.site.         3600    IN      SOA     dwad1.discworld.site.
> hostmaster.discworld.site. 236 900 600 86400 3600
>
> ;; ADDITIONAL SECTION:
> dwad1.discworld.site.   3600    IN      A       192.168.100.10
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 12 16:24:17 CEST 2014
> ;; MSG SIZE  rcvd: 112
>

on my DC:

root at dc01:~# dig -t SOA example.com

; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> -t SOA example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62908
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.            IN    SOA

;; ANSWER SECTION:
example.com.        3600    IN    SOA    dc01.example.com. 
hostmaster.example.com. 17 900 600 86400 0

;; AUTHORITY SECTION:
example.com.        900    IN    NS    dc01.example.com.

;; ADDITIONAL SECTION:
dc01.example.com.        900    IN    A    192.168.0.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 12 15:42:43 BST 2014
;; MSG SIZE  rcvd: 119

Only major difference I can see, is that I have an authority section

> Samba DC in :make testenv':
>
> dig @127.0.0.21 -t SOA samba.example.com
> ;; reply from unexpected source: 127.0.0.21#53, expected 127.0.0.21#53
> ;; reply from unexpected source: 127.0.0.21#53, expected 127.0.0.21#53
> ;; reply from unexpected source: 127.0.0.21#53, expected 127.0.0.21#53
>
> ; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> @127.0.0.21 -t SOA samba.example.com
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>

I don't have a testenv so couldn't do this, but could I ask why 
'127.0.0.21' ?

>   
>> I don't use ipv6 so this may be your problem, does the update work for
>> ipv4 addresses ?
> Did you try the reproducer I posted above?
>
In a word, no.

Rowland
>
> 	-- andreas
>

More information about the samba-technical mailing list