bind 9.11.3 BIND9_FLATFILE update-policy

Wed Oct 10 10:23:12 UTC 2018

On Wed, 10 Oct 2018 23:04:25 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2018-10-10 at 10:49 +0100, Rowland Penny via samba-technical
> wrote:
> > On Wed, 10 Oct 2018 12:40:03 +0300
> > Sergey Urushkin via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> > 
> > > Attached.
> > > 
> > > ---
> > > Best regards,
> > > Sergey Urushkin
> > > 
> > > 
> > > Andrew Bartlett писал 2018-10-10 08:13:
> > > > On Fri, 2018-09-28 at 13:16 +0300, Sergey Urushkin via
> > > > samba-technical wrote:
> > > > > Andrew Bartlett писал 2018-09-20 18:26:
> > > > > > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via
> > > > > > samba-technical wrote:
> > > > > > > Hello.
> > > > > > > 
> > > > > > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications
> > > > > > > that prevents
> > > > > > > bind to start with samba's update-policy config file
> > > > > > > included (BIND9_FLATFILE backend):
> > > > > > > 
> > > > > > > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> > > > > > > 22aca0ba6eacf8ca9275
> > > > > > > 
> > > > > > > Error text:
> > > > > > > named.conf.update:3: name field not set to placeholder
> > > > > > > value '.'
> > > > > > > 
> > > > > > > This already was in the mail list:
> > > > > > > https://lists.samba.org/archive/samba/2018-March/214738.html
> > > > > > > 
> > > > > > > This could be fixed by making a fixed copy of the config
> > > > > > > and including
> > > > > > > it to BIND instead of the original:
> > > > > > > sed 's/ms-self \* /ms-self . /' named.conf.update >
> > > > > > > named.conf.update.static
> > > > > > > 
> > > > > > > The next patch fixes config generation for 9.11.3 and
> > > > > > > above: --- a/source4/dsdb/dns/dns_update.c
> > > > > > > 2018-07-12 11:23:36.000000000 +0300
> > > > > > > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
> > > > > > > 16:16:32.330242337 +0300
> > > > > > > @@ -242,7 +242,7 @@
> > > > > > >   		dprintf(fd, "%s\n",static_policies);
> > > > > > >   		dprintf(fd, "/* End of static entries
> > > > > > > */\n"); }
> > > > > > > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n",
> > > > > > > realm);
> > > > > > > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n",
> > > > > > > realm); dprintf(fd, "\tgrant Administrator@%s wildcard * A
> > > > > > > AAAA SRV CNAME;\n",
> > > > > > > realm);
> > > > > > > 
> > > > > > >   	for (i=0; i<dc_count; i++) {
> > > > > > > 
> > > > > > > But this may not work with the older versions (not
> > > > > > > tested!). If so, we
> > > > > > > should check the installed bind version on the samba start
> > > > > > > while generating the config (named -V) or get the right
> > > > > > > value (* or .) from
> > > > > > > some another place (config file).
> > > > > > > Another approach: since the config is pretty much static
> > > > > > > (at least with
> > > > > > > the current single-realm samba and it also doesn't honor
> > > > > > > real 'Administrator' account name and even more widely -
> > > > > > > every dns-administrator name), generate it on the
> > > > > > > provision (python/samba/provision/sambadns.py) like we do
> > > > > > > for named.conf.dlz and
> > > > > > > just leave it as is with comments about BIND versions.
> > > > > > 
> > > > > > At this stage my preference would have been to remove the
> > > > > > 'feature' entirely, given the limitations.  It causes a job
> > > > > > to run frequently to fill in the file and trigger rndc
> > > > > > reload even when Samba isn't using this, and this *may* be
> > > > > > the cause of a crash or service outage on the bind size.
> > > > > > (Not yet pinned down).
> > > > > > 
> > > > > > We would prefer folks used the DLZ driver or the internal
> > > > > > DNS, as these work with Microsoft and Samba admin tools
> > > > > > etc.  I don't mind us generating the zone long-term but I
> > > > > > think the rest is always going to be so site-specific
> > > > > > anyway.
> > > > > > 
> > > > > > What do you think?
> > > > > > 
> > > > > > Andrew Bartlett
> > > > > 
> > > > > Agreed.
> > > > > Here is the patch that adds generating update-policy at
> > > > > provision. The second part should be removing
> > > > > named.conf.update code from /source4/dsdb/dns/dns_update.c -
> > > > > but I didn't touch it, since I'm not a
> > > > > C specialist.
> > > > 
> > > > Can you make a full git commit with the signed-off-by and send
> > > > in your DCO?  Sorry for the fuss, the details are in the
> > > > contributing page in the wiki.
> > > > 
> > > > Thanks,
> > > > 
> > > > Andrew Bartlett
> > 
> > Sorry, but there is a line over 80 characters.
> > 
> > Also shouldn't we be removing flat files ?
> 
> Sergey,
> 
> Can you fill us in on your use case here?
> 
> > If they work just like BIND9_DLZ, why was BIND9_DLZ written ??
> 
> It certainly isn't nearly as good as the BIND9_DLZ, 

That could be the understatement of the year ;-)

>for example it
> isn't replicated over DRS (but zone transfers would work) and ACLs are
> not the same.

So basically, it shouldn't be used.

> 
> I see some value in still having Samba template out the flat file, but

If it doesn't work properly, why ?

> can't really justify the untested code here against my normal policy
> of reducing our supported options and combinations.
> 

Totally agree

Rowland