bind 9.11.3 BIND9_FLATFILE update-policy

Wed Oct 10 09:40:03 UTC 2018

Attached.

---
Best regards,
Sergey Urushkin

Andrew Bartlett писал 2018-10-10 08:13:
> On Fri, 2018-09-28 at 13:16 +0300, Sergey Urushkin via samba-technical
> wrote:
>> Andrew Bartlett писал 2018-09-20 18:26:
>> > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via samba-technical
>> > wrote:
>> > > Hello.
>> > >
>> > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
>> > > prevents
>> > > bind to start with samba's update-policy config file included
>> > > (BIND9_FLATFILE backend):
>> > >
>> > > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
>> > > 22aca0ba6eacf8ca9275
>> > >
>> > > Error text:
>> > > named.conf.update:3: name field not set to placeholder value '.'
>> > >
>> > > This already was in the mail list:
>> > > https://lists.samba.org/archive/samba/2018-March/214738.html
>> > >
>> > > This could be fixed by making a fixed copy of the config and
>> > > including
>> > > it to BIND instead of the original:
>> > > sed 's/ms-self \* /ms-self . /' named.conf.update >
>> > > named.conf.update.static
>> > >
>> > > The next patch fixes config generation for 9.11.3 and above:
>> > > --- a/source4/dsdb/dns/dns_update.c	2018-07-12
>> > > 11:23:36.000000000 +0300
>> > > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
>> > > 16:16:32.330242337 +0300
>> > > @@ -242,7 +242,7 @@
>> > >   		dprintf(fd, "%s\n",static_policies);
>> > >   		dprintf(fd, "/* End of static entries */\n");
>> > >   	}
>> > > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
>> > > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
>> > >   	dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV
>> > > CNAME;\n",
>> > > realm);
>> > >
>> > >   	for (i=0; i<dc_count; i++) {
>> > >
>> > > But this may not work with the older versions (not tested!). If so,
>> > > we
>> > > should check the installed bind version on the samba start while
>> > > generating the config (named -V) or get the right value (* or .)
>> > > from
>> > > some another place (config file).
>> > > Another approach: since the config is pretty much static (at least
>> > > with
>> > > the current single-realm samba and it also doesn't honor real
>> > > 'Administrator' account name and even more widely - every
>> > > dns-administrator name), generate it on the provision
>> > > (python/samba/provision/sambadns.py) like we do for named.conf.dlz
>> > > and
>> > > just leave it as is with comments about BIND versions.
>> >
>> > At this stage my preference would have been to remove the 'feature'
>> > entirely, given the limitations.  It causes a job to run frequently to
>> > fill in the file and trigger rndc reload even when Samba isn't using
>> > this, and this *may* be the cause of a crash or service outage on the
>> > bind size.  (Not yet pinned down).
>> >
>> > We would prefer folks used the DLZ driver or the internal DNS, as these
>> > work with Microsoft and Samba admin tools etc.  I don't mind us
>> > generating the zone long-term but I think the rest is always going to
>> > be so site-specific anyway.
>> >
>> > What do you think?
>> >
>> > Andrew Bartlett
>> 
>> Agreed.
>> Here is the patch that adds generating update-policy at provision.
>> The second part should be removing named.conf.update code from
>> /source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm not 
>> a
>> C specialist.
> 
> Can you make a full git commit with the signed-off-by and send in your
> DCO?  Sorry for the fuss, the details are in the contributing page in
> the wiki.
> 
> Thanks,
> 
> Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-provision-create-valid-named.conf.update-for-BIND9_F.patch
Type: text/x-diff
Size: 5102 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181010/1a0d65b1/0001-provision-create-valid-named.conf.update-for-BIND9_F.diff>