bind 9.11.3 BIND9_FLATFILE update-policy

Andrew Bartlett abartlet at samba.org
Thu Sep 20 15:26:30 UTC 2018 

On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via samba-technical
wrote:
> Hello.
> 
> Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
> prevents 
> bind to start with samba's update-policy config file included 
> (BIND9_FLATFILE backend):
> 
> https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> 22aca0ba6eacf8ca9275
> 
> Error text:
> named.conf.update:3: name field not set to placeholder value '.'
> 
> This already was in the mail list: 
> https://lists.samba.org/archive/samba/2018-March/214738.html
> 
> This could be fixed by making a fixed copy of the config and
> including 
> it to BIND instead of the original:
> sed 's/ms-self \* /ms-self . /' named.conf.update > 
> named.conf.update.static
> 
> The next patch fixes config generation for 9.11.3 and above:
> --- a/source4/dsdb/dns/dns_update.c	2018-07-12
> 11:23:36.000000000 +0300
> +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
> 16:16:32.330242337 +0300
> @@ -242,7 +242,7 @@
>   		dprintf(fd, "%s\n",static_policies);
>   		dprintf(fd, "/* End of static entries */\n");
>   	}
> -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
> +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
>   	dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV
> CNAME;\n", 
> realm);
> 
>   	for (i=0; i<dc_count; i++) {
> 
> But this may not work with the older versions (not tested!). If so,
> we 
> should check the installed bind version on the samba start while 
> generating the config (named -V) or get the right value (* or .)
> from 
> some another place (config file).
> Another approach: since the config is pretty much static (at least
> with 
> the current single-realm samba and it also doesn't honor real 
> 'Administrator' account name and even more widely - every 
> dns-administrator name), generate it on the provision 
> (python/samba/provision/sambadns.py) like we do for named.conf.dlz
> and 
> just leave it as is with comments about BIND versions.

At this stage my preference would have been to remove the 'feature'
entirely, given the limitations.  It causes a job to run frequently to
fill in the file and trigger rndc reload even when Samba isn't using
this, and this *may* be the cause of a crash or service outage on the
bind size.  (Not yet pinned down). 

We would prefer folks used the DLZ driver or the internal DNS, as these
work with Microsoft and Samba admin tools etc.  I don't mind us
generating the zone long-term but I think the rest is always going to
be so site-specific anyway.

What do you think?

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list