bind 9.11.3 BIND9_FLATFILE update-policy

Rowland Penny rpenny at samba.org
Thu Sep 20 16:11:25 UTC 2018


On Thu, 20 Sep 2018 08:26:30 -0700
Andrew Bartlett via samba-technical <samba-technical at lists.samba.org>
wrote:

> On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via samba-technical
> wrote:
> > Hello.
> > 
> > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
> > prevents 
> > bind to start with samba's update-policy config file included 
> > (BIND9_FLATFILE backend):
> > 
> > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> > 22aca0ba6eacf8ca9275
> > 
> > Error text:
> > named.conf.update:3: name field not set to placeholder value '.'
> > 
> > This already was in the mail list: 
> > https://lists.samba.org/archive/samba/2018-March/214738.html
> > 
> > This could be fixed by making a fixed copy of the config and
> > including 
> > it to BIND instead of the original:
> > sed 's/ms-self \* /ms-self . /' named.conf.update > 
> > named.conf.update.static
> > 
> > The next patch fixes config generation for 9.11.3 and above:
> > --- a/source4/dsdb/dns/dns_update.c	2018-07-12
> > 11:23:36.000000000 +0300
> > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
> > 16:16:32.330242337 +0300
> > @@ -242,7 +242,7 @@
> >   		dprintf(fd, "%s\n",static_policies);
> >   		dprintf(fd, "/* End of static entries */\n");
> >   	}
> > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
> > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
> >   	dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA
> > SRV CNAME;\n", 
> > realm);
> > 
> >   	for (i=0; i<dc_count; i++) {
> > 
> > But this may not work with the older versions (not tested!). If so,
> > we 
> > should check the installed bind version on the samba start while 
> > generating the config (named -V) or get the right value (* or .)
> > from 
> > some another place (config file).
> > Another approach: since the config is pretty much static (at least
> > with 
> > the current single-realm samba and it also doesn't honor real 
> > 'Administrator' account name and even more widely - every 
> > dns-administrator name), generate it on the provision 
> > (python/samba/provision/sambadns.py) like we do for named.conf.dlz
> > and 
> > just leave it as is with comments about BIND versions.
> 
> At this stage my preference would have been to remove the 'feature'
> entirely, given the limitations.  It causes a job to run frequently to
> fill in the file and trigger rndc reload even when Samba isn't using
> this, and this *may* be the cause of a crash or service outage on the
> bind size.  (Not yet pinned down). 
> 
> We would prefer folks used the DLZ driver or the internal DNS, as
> these work with Microsoft and Samba admin tools etc.  I don't mind us
> generating the zone long-term but I think the rest is always going to
> be so site-specific anyway.
> 
> What do you think?
> 
> Andrew Bartlett
> 

As far as I am aware, ever since Samba 4.0.0 was released, flat-files
weren't supported but were available because some old clients didn't
have a new enough version of Bind9.

So, rather than continue to paper over the cracks, why don't we just
remove the ability to use flat-files. Surely by now the old clients
will have gone away.

Rowland




More information about the samba-technical mailing list