bind 9.11.3 BIND9_FLATFILE update-policy

Andrew Bartlett abartlet at samba.org
Wed Oct 10 10:04:25 UTC 2018 

On Wed, 2018-10-10 at 10:49 +0100, Rowland Penny via samba-technical
wrote:
> On Wed, 10 Oct 2018 12:40:03 +0300
> Sergey Urushkin via samba-technical <samba-technical at lists.samba.org>
> wrote:
> 
> > Attached.
> > 
> > ---
> > Best regards,
> > Sergey Urushkin
> > 
> > 
> > Andrew Bartlett писал 2018-10-10 08:13:
> > > On Fri, 2018-09-28 at 13:16 +0300, Sergey Urushkin via
> > > samba-technical wrote:
> > > > Andrew Bartlett писал 2018-09-20 18:26:
> > > > > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via
> > > > > samba-technical wrote:
> > > > > > Hello.
> > > > > > 
> > > > > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
> > > > > > prevents
> > > > > > bind to start with samba's update-policy config file included
> > > > > > (BIND9_FLATFILE backend):
> > > > > > 
> > > > > > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> > > > > > 22aca0ba6eacf8ca9275
> > > > > > 
> > > > > > Error text:
> > > > > > named.conf.update:3: name field not set to placeholder value
> > > > > > '.'
> > > > > > 
> > > > > > This already was in the mail list:
> > > > > > https://lists.samba.org/archive/samba/2018-March/214738.html
> > > > > > 
> > > > > > This could be fixed by making a fixed copy of the config and
> > > > > > including
> > > > > > it to BIND instead of the original:
> > > > > > sed 's/ms-self \* /ms-self . /' named.conf.update >
> > > > > > named.conf.update.static
> > > > > > 
> > > > > > The next patch fixes config generation for 9.11.3 and above:
> > > > > > --- a/source4/dsdb/dns/dns_update.c	2018-07-12
> > > > > > 11:23:36.000000000 +0300
> > > > > > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
> > > > > > 16:16:32.330242337 +0300
> > > > > > @@ -242,7 +242,7 @@
> > > > > >   		dprintf(fd, "%s\n",static_policies);
> > > > > >   		dprintf(fd, "/* End of static entries */\n");
> > > > > >   	}
> > > > > > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
> > > > > > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
> > > > > >   	dprintf(fd, "\tgrant Administrator@%s wildcard * A
> > > > > > AAAA SRV CNAME;\n",
> > > > > > realm);
> > > > > > 
> > > > > >   	for (i=0; i<dc_count; i++) {
> > > > > > 
> > > > > > But this may not work with the older versions (not tested!).
> > > > > > If so, we
> > > > > > should check the installed bind version on the samba start
> > > > > > while generating the config (named -V) or get the right value
> > > > > > (* or .) from
> > > > > > some another place (config file).
> > > > > > Another approach: since the config is pretty much static (at
> > > > > > least with
> > > > > > the current single-realm samba and it also doesn't honor real
> > > > > > 'Administrator' account name and even more widely - every
> > > > > > dns-administrator name), generate it on the provision
> > > > > > (python/samba/provision/sambadns.py) like we do for
> > > > > > named.conf.dlz and
> > > > > > just leave it as is with comments about BIND versions.
> > > > > 
> > > > > At this stage my preference would have been to remove the
> > > > > 'feature' entirely, given the limitations.  It causes a job to
> > > > > run frequently to fill in the file and trigger rndc reload even
> > > > > when Samba isn't using this, and this *may* be the cause of a
> > > > > crash or service outage on the bind size.  (Not yet pinned down).
> > > > > 
> > > > > We would prefer folks used the DLZ driver or the internal DNS,
> > > > > as these work with Microsoft and Samba admin tools etc.  I don't
> > > > > mind us generating the zone long-term but I think the rest is
> > > > > always going to be so site-specific anyway.
> > > > > 
> > > > > What do you think?
> > > > > 
> > > > > Andrew Bartlett
> > > > 
> > > > Agreed.
> > > > Here is the patch that adds generating update-policy at provision.
> > > > The second part should be removing named.conf.update code from
> > > > /source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm
> > > > not a
> > > > C specialist.
> > > 
> > > Can you make a full git commit with the signed-off-by and send in
> > > your DCO?  Sorry for the fuss, the details are in the contributing
> > > page in the wiki.
> > > 
> > > Thanks,
> > > 
> > > Andrew Bartlett
> 
> Sorry, but there is a line over 80 characters.
> 
> Also shouldn't we be removing flat files ?

Sergey,

Can you fill us in on your use case here?

> If they work just like BIND9_DLZ, why was BIND9_DLZ written ??

It certainly isn't nearly as good as the BIND9_DLZ, for example it
isn't replicated over DRS (but zone transfers would work) and ACLs are
not the same. 

I see some value in still having Samba template out the flat file, but
can't really justify the untested code here against my normal policy of
reducing our supported options and combinations.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list