bind 9.11.3 BIND9_FLATFILE update-policy

Wed Oct 10 09:49:19 UTC 2018

On Wed, 10 Oct 2018 12:40:03 +0300
Sergey Urushkin via samba-technical <samba-technical at lists.samba.org>
wrote:

> Attached.
> 
> ---
> Best regards,
> Sergey Urushkin
> 
> 
> Andrew Bartlett писал 2018-10-10 08:13:
> > On Fri, 2018-09-28 at 13:16 +0300, Sergey Urushkin via
> > samba-technical wrote:
> >> Andrew Bartlett писал 2018-09-20 18:26:
> >> > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via
> >> > samba-technical wrote:
> >> > > Hello.
> >> > >
> >> > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
> >> > > prevents
> >> > > bind to start with samba's update-policy config file included
> >> > > (BIND9_FLATFILE backend):
> >> > >
> >> > > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> >> > > 22aca0ba6eacf8ca9275
> >> > >
> >> > > Error text:
> >> > > named.conf.update:3: name field not set to placeholder value
> >> > > '.'
> >> > >
> >> > > This already was in the mail list:
> >> > > https://lists.samba.org/archive/samba/2018-March/214738.html
> >> > >
> >> > > This could be fixed by making a fixed copy of the config and
> >> > > including
> >> > > it to BIND instead of the original:
> >> > > sed 's/ms-self \* /ms-self . /' named.conf.update >
> >> > > named.conf.update.static
> >> > >
> >> > > The next patch fixes config generation for 9.11.3 and above:
> >> > > --- a/source4/dsdb/dns/dns_update.c	2018-07-12
> >> > > 11:23:36.000000000 +0300
> >> > > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
> >> > > 16:16:32.330242337 +0300
> >> > > @@ -242,7 +242,7 @@
> >> > >   		dprintf(fd, "%s\n",static_policies);
> >> > >   		dprintf(fd, "/* End of static entries */\n");
> >> > >   	}
> >> > > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
> >> > > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
> >> > >   	dprintf(fd, "\tgrant Administrator@%s wildcard * A
> >> > > AAAA SRV CNAME;\n",
> >> > > realm);
> >> > >
> >> > >   	for (i=0; i<dc_count; i++) {
> >> > >
> >> > > But this may not work with the older versions (not tested!).
> >> > > If so, we
> >> > > should check the installed bind version on the samba start
> >> > > while generating the config (named -V) or get the right value
> >> > > (* or .) from
> >> > > some another place (config file).
> >> > > Another approach: since the config is pretty much static (at
> >> > > least with
> >> > > the current single-realm samba and it also doesn't honor real
> >> > > 'Administrator' account name and even more widely - every
> >> > > dns-administrator name), generate it on the provision
> >> > > (python/samba/provision/sambadns.py) like we do for
> >> > > named.conf.dlz and
> >> > > just leave it as is with comments about BIND versions.
> >> >
> >> > At this stage my preference would have been to remove the
> >> > 'feature' entirely, given the limitations.  It causes a job to
> >> > run frequently to fill in the file and trigger rndc reload even
> >> > when Samba isn't using this, and this *may* be the cause of a
> >> > crash or service outage on the bind size.  (Not yet pinned down).
> >> >
> >> > We would prefer folks used the DLZ driver or the internal DNS,
> >> > as these work with Microsoft and Samba admin tools etc.  I don't
> >> > mind us generating the zone long-term but I think the rest is
> >> > always going to be so site-specific anyway.
> >> >
> >> > What do you think?
> >> >
> >> > Andrew Bartlett
> >> 
> >> Agreed.
> >> Here is the patch that adds generating update-policy at provision.
> >> The second part should be removing named.conf.update code from
> >> /source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm
> >> not a
> >> C specialist.
> > 
> > Can you make a full git commit with the signed-off-by and send in
> > your DCO?  Sorry for the fuss, the details are in the contributing
> > page in the wiki.
> > 
> > Thanks,
> > 
> > Andrew Bartlett

Sorry, but there is a line over 80 characters.

Also shouldn't we be removing flat files ?
If they work just like BIND9_DLZ, why was BIND9_DLZ written ??

Rowland