[Samba] (S4) Neither AXFR nor authoritative nameserving available?

Andrew Bartlett abartlet at samba.org
Sun Dec 23 13:14:14 MST 2012 

On Sun, 2012-12-23 at 14:20 -0500, Michael B. Trausch wrote:
> On 12/22/2012 05:44 AM, Andrew Bartlett wrote:
> > On Tue, 2012-12-18 at 11:58 -0500, Michael B. Trausch wrote:
> >> Hello all,
> >>
> >> I'd like to have redundant DNS in our setup.  But it seems that Samba 4
> >> does not yet support AXFR with its internal DNS server.  Alright, that's
> >> fine, so I figured I'd configure the system such that at the very least,
> >> a caching nameserver was sitting in front of it.  However, that doesn't
> >> work; the caching nameserver (BIND 9) returns SERVFAIL, apparently
> >> because Samba 4 isn't setting the authoritative bit on its DNS responses.
> >
> > That's odd.  Please file a bug, so Kai can look into it.
> 
> Well, I finally got it working, after an update.  Yay.  :)
> 
> I still don't have the ability for AXFR, though, it seems.  Is that 
> supported, or in-the-works?

Neither, at this stage.

> >> Is this a known issue, a configuration error on my part, or something
> >> entirely different altogether?
> >
> > You could run another Samba DC to get the redundant DNS.
> 
> I _could_... but I'm not there yet, and Samba seems to drop queries a 
> fair bit on a lightly-loaded (about 1 QPS) network; what I mean there is 
> that we've observed failure-to-resolve several times a day.  This seems 
> to have gone away now that we've turned off the forwarding option, and 
> are using BIND "in front" of Samba 4 as a caching/forwarding nameserver. 
>   I'll know more as the week goes by.
> 
> > Another option is to run the bind9 server and the dlz plugin.
> 
> I'd opted to not set this domain up that way because I figured it'd be 
> easier to manage if Samba handled the domain itself.  We could switch to 
> BIND for the server, but I have three questions there:
> 
> 1.  Can we switch from Samba 4 -> BIND without reprovisioning?

Yes.  See the samba_upgradedns script, which handles the switching
required between backends.

> 2.  Is there any loss of client-side functionality (e.g., the Microsoft
>      DNS tool)?

No.

> 3.  Are there any other downsides to using BIND over the internal Samba4
>      DNS?

The internal DNS is simpler, follows our internal handling of 'bind
interfaces' and starts up with the rest of Samba.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list