bind 9.11.3 BIND9_FLATFILE update-policy

Fri Sep 21 07:05:24 UTC 2018

Hai, 

>From a systems engineers point of view.
Totaly agree here. Just drop the flatfile, it has no use for samba in the future. 

Better improve the current DLZ and its functions then having an old set that raises questions everytime.
And it save time chaising and old set of code, which is hardly/(never) used. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Rowland Penny via samba-technical
> Verzonden: donderdag 20 september 2018 18:11
> Aan: samba-technical at lists.samba.org
> CC: Andrew Bartlett
> Onderwerp: Re: bind 9.11.3 BIND9_FLATFILE update-policy
> 
> On Thu, 20 Sep 2018 08:26:30 -0700
> Andrew Bartlett via samba-technical <samba-technical at lists.samba.org>
> wrote:
> 
> > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via 
> samba-technical
> > wrote:
> > > Hello.
> > > 
> > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
> > > prevents 
> > > bind to start with samba's update-policy config file included 
> > > (BIND9_FLATFILE backend):
> > > 
> > > 
> https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
> > > 22aca0ba6eacf8ca9275
> > > 
> > > Error text:
> > > named.conf.update:3: name field not set to placeholder value '.'
> > > 
> > > This already was in the mail list: 
> > > https://lists.samba.org/archive/samba/2018-March/214738.html
> > > 
> > > This could be fixed by making a fixed copy of the config and
> > > including 
> > > it to BIND instead of the original:
> > > sed 's/ms-self \* /ms-self . /' named.conf.update > 
> > > named.conf.update.static
> > > 
> > > The next patch fixes config generation for 9.11.3 and above:
> > > --- a/source4/dsdb/dns/dns_update.c	2018-07-12
> > > 11:23:36.000000000 +0300
> > > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
> > > 16:16:32.330242337 +0300
> > > @@ -242,7 +242,7 @@
> > >   		dprintf(fd, "%s\n",static_policies);
> > >   		dprintf(fd, "/* End of static entries */\n");
> > >   	}
> > > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
> > > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
> > >   	dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA
> > > SRV CNAME;\n", 
> > > realm);
> > > 
> > >   	for (i=0; i<dc_count; i++) {
> > > 
> > > But this may not work with the older versions (not 
> tested!). If so,
> > > we 
> > > should check the installed bind version on the samba start while 
> > > generating the config (named -V) or get the right value (* or .)
> > > from 
> > > some another place (config file).
> > > Another approach: since the config is pretty much static (at least
> > > with 
> > > the current single-realm samba and it also doesn't honor real 
> > > 'Administrator' account name and even more widely - every 
> > > dns-administrator name), generate it on the provision 
> > > (python/samba/provision/sambadns.py) like we do for named.conf.dlz
> > > and 
> > > just leave it as is with comments about BIND versions.
> > 
> > At this stage my preference would have been to remove the 'feature'
> > entirely, given the limitations.  It causes a job to run 
> frequently to
> > fill in the file and trigger rndc reload even when Samba isn't using
> > this, and this *may* be the cause of a crash or service 
> outage on the
> > bind size.  (Not yet pinned down). 
> > 
> > We would prefer folks used the DLZ driver or the internal DNS, as
> > these work with Microsoft and Samba admin tools etc.  I 
> don't mind us
> > generating the zone long-term but I think the rest is 
> always going to
> > be so site-specific anyway.
> > 
> > What do you think?
> > 
> > Andrew Bartlett
> > 
> 
> As far as I am aware, ever since Samba 4.0.0 was released, flat-files
> weren't supported but were available because some old clients didn't
> have a new enough version of Bind9.
> 
> So, rather than continue to paper over the cracks, why don't we just
> remove the ability to use flat-files. Surely by now the old clients
> will have gone away.
> 
> Rowland
> 
> 
> 