DNS updates using nsupdate are not working!
Rowland Penny
repenny241155 at gmail.com
Fri Sep 12 08:58:09 MDT 2014
On 12/09/14 15:32, Andreas Schneider wrote:
> On Friday 12 September 2014 12:09:36 Rowland Penny wrote:
>> On 12/09/14 09:40, Andreas Schneider wrote:
>>> Hello,
>>>
>>> I'm trying to get samba_dnsupdate working but I can't. Nobody has time to
>>> explain me how the DNS stuff works. So now I'm moving the ball to you!
>>>
>>> It looks like the SOA record in the DNS server is wrong! The 'nsupdate'
>>> command from bind-utils 9.9.5 is not able to update records cause querying
>>> the SOA record returns a result nsupdate isn't able to parse.
>>>
>>> Reproducer:
>>>
>>> 1. Get socket_wrapper from:
>>> http://git.cryptomilk.org/projects/socket_wrapper.git/log/?h=fix
>>> (This implements fnctl(fd, F_DUPFD, ...) needed by nsupdate)
>>>
>>> 2. Compile and install it, see README.install
>>>
>>> (mkdir mybuilddir
>>>
>>> cd mybuildir
>>>
>>> cmake -DCMAKE_INSTALL_PREFIX=/usr -DLIB_SUFFIX=64 /path/to/source)
>>>
>>> 3. Compile Samba master git tree
>>> 4. Run 'make testenv SAMBA_OPTIONS=-d10'
>>> 5. Call 'SOCKET_WRAPPER_PCAP_FILE=nsupdate.pcap nsupdate -g'
>>>
>>> server 127.0.0.21
>>> update add wurst.samba.example.com. 900 AAAA fd00::5357:5f20
>>> show
>>> send
>>>
>>> You can inspect server logs and the pcap file now and see it yourself!
>>>
>>>
>>> Regards,
>>>
>>> -- andreas
>> This seems really strange posting this in reply to a post from one of
>> the samba devs, but I run a Samba4 AD DC on Debian 7.5 with bind9.9.5
>> and I have no problem in using nsupdate to update the DNS records. What
>> I did notice and it is probably a typo, is that your server is
>> 127.0.0.21 not 127.0.0.1
> 127.0.0.21 is the IP of the DC in 'make test'.
Ah, but you never mentioned that you were using bind etc in a test
environment. you just basically said bind9.9.5 couldn't update samba4 dns.
>
> Windows 2008:
>
> asn at magrathea:~> dig -t SOA discworld.site
Hmm, I suspect a science fiction fan here ;-)
> ; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> -t SOA discworld.site
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31776
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;discworld.site. IN SOA
>
> ;; ANSWER SECTION:
> discworld.site. 3600 IN SOA dwad1.discworld.site.
> hostmaster.discworld.site. 236 900 600 86400 3600
>
> ;; ADDITIONAL SECTION:
> dwad1.discworld.site. 3600 IN A 192.168.100.10
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 12 16:24:17 CEST 2014
> ;; MSG SIZE rcvd: 112
>
on my DC:
root at dc01:~# dig -t SOA example.com
; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> -t SOA example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62908
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN SOA
;; ANSWER SECTION:
example.com. 3600 IN SOA dc01.example.com.
hostmaster.example.com. 17 900 600 86400 0
;; AUTHORITY SECTION:
example.com. 900 IN NS dc01.example.com.
;; ADDITIONAL SECTION:
dc01.example.com. 900 IN A 192.168.0.2
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 12 15:42:43 BST 2014
;; MSG SIZE rcvd: 119
Only major difference I can see, is that I have an authority section
> Samba DC in :make testenv':
>
> dig @127.0.0.21 -t SOA samba.example.com
> ;; reply from unexpected source: 127.0.0.21#53, expected 127.0.0.21#53
> ;; reply from unexpected source: 127.0.0.21#53, expected 127.0.0.21#53
> ;; reply from unexpected source: 127.0.0.21#53, expected 127.0.0.21#53
>
> ; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> @127.0.0.21 -t SOA samba.example.com
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
I don't have a testenv so couldn't do this, but could I ask why
'127.0.0.21' ?
>
>> I don't use ipv6 so this may be your problem, does the update work for
>> ipv4 addresses ?
> Did you try the reproducer I posted above?
>
In a word, no.
Rowland
>
> -- andreas
>
More information about the samba-technical
mailing list