bind 9.11.3 BIND9_FLATFILE update-policy
Andrew Bartlett
abartlet at samba.org
Wed Oct 10 05:13:28 UTC 2018
On Fri, 2018-09-28 at 13:16 +0300, Sergey Urushkin via samba-technical
wrote:
> Andrew Bartlett писал 2018-09-20 18:26:
> > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via samba-technical
> > wrote:
> > > Hello.
> > >
> > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
> > > prevents
> > > bind to start with samba's update-policy config file included
> > > (BIND9_FLATFILE backend):
> > >
> > > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> > > 22aca0ba6eacf8ca9275
> > >
> > > Error text:
> > > named.conf.update:3: name field not set to placeholder value '.'
> > >
> > > This already was in the mail list:
> > > https://lists.samba.org/archive/samba/2018-March/214738.html
> > >
> > > This could be fixed by making a fixed copy of the config and
> > > including
> > > it to BIND instead of the original:
> > > sed 's/ms-self \* /ms-self . /' named.conf.update >
> > > named.conf.update.static
> > >
> > > The next patch fixes config generation for 9.11.3 and above:
> > > --- a/source4/dsdb/dns/dns_update.c 2018-07-12
> > > 11:23:36.000000000 +0300
> > > +++ b/source4/dsdb/dns/dns_update.c 2018-09-20
> > > 16:16:32.330242337 +0300
> > > @@ -242,7 +242,7 @@
> > > dprintf(fd, "%s\n",static_policies);
> > > dprintf(fd, "/* End of static entries */\n");
> > > }
> > > - dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
> > > + dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
> > > dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV
> > > CNAME;\n",
> > > realm);
> > >
> > > for (i=0; i<dc_count; i++) {
> > >
> > > But this may not work with the older versions (not tested!). If so,
> > > we
> > > should check the installed bind version on the samba start while
> > > generating the config (named -V) or get the right value (* or .)
> > > from
> > > some another place (config file).
> > > Another approach: since the config is pretty much static (at least
> > > with
> > > the current single-realm samba and it also doesn't honor real
> > > 'Administrator' account name and even more widely - every
> > > dns-administrator name), generate it on the provision
> > > (python/samba/provision/sambadns.py) like we do for named.conf.dlz
> > > and
> > > just leave it as is with comments about BIND versions.
> >
> > At this stage my preference would have been to remove the 'feature'
> > entirely, given the limitations. It causes a job to run frequently to
> > fill in the file and trigger rndc reload even when Samba isn't using
> > this, and this *may* be the cause of a crash or service outage on the
> > bind size. (Not yet pinned down).
> >
> > We would prefer folks used the DLZ driver or the internal DNS, as these
> > work with Microsoft and Samba admin tools etc. I don't mind us
> > generating the zone long-term but I think the rest is always going to
> > be so site-specific anyway.
> >
> > What do you think?
> >
> > Andrew Bartlett
>
> Agreed.
> Here is the patch that adds generating update-policy at provision.
> The second part should be removing named.conf.update code from
> /source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm not a
> C specialist.
Can you make a full git commit with the signed-off-by and send in your
DCO? Sorry for the fuss, the details are in the contributing page in
the wiki.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list