[Samba] Internal DNS - TTL enforcement for dynamic updates

Dmitry Khromov icechrome at gmail.com
Thu Nov 1 02:40:51 MDT 2012

> > Samba 4 rc 3. I had noticed a strange behavior. If host creates a 
> > record, it won't be further updated until the record gets deleted 
> > manually. What could cause this?
> What updates are you expecting?

When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command, Windows sends out DNS messages (unsigned, then signed if needed) with UPDATE opcode towards a NS specified in NS field of SOA with a new IP address for the record. I expected Samba to behave like MS DNS server and replace the old record with a new one.

> > Another question: how could the dynamically added record's TTL be 
> > enforced? For example, we have a user-based VLAN assignment in our 
> > networks. When Windows host boots, it authenticates with machine 
> > account and goes to the one of "parking" VLANs. Later, when user
> > logs in, he gets a different VLAN and different IP address. So, we
> > really want other DNS servers to not cache this records for too
> > long. Normally, this is done by modifying SOA record (and, as I
> > recall, Samba's internal DNS respects TTLs in SOA). But samba-tool
> > can't edit SOA records, MMC DNS snap-in fails to do it too.
> The TTL only affects caching decisions on the resolver side so the
> internal DNS actually doesn't do anything with the TTLs apart from
> serving them out with the record.

That's true. But you may specify expire for the whole zone in SOA to force other DNS servers that provide clients with cached recursion to query upstream NS again after the zone is expired, no matter what the TTL for individual records is - that is what I need.

> Now, if your clients register their DNS records, they get to pick the
> TTL of the entry themselves. This can probably be affected with a GPO
> somehow, but I don't know the AD stuff enough to know where to look.

When I googled last time, I had seen some Microsoft guys saying it's hardcoded. Not sure if that's true, but it looks like, giving the fact Windows just creates a record with TTL of 1200 seconds, even if DHCP server gives a 10 seconds lasting lease.

> I don't think the TTL of the SOA record should affect anything apart
> from how long resolvers cache the SOA record.

And that is what I need.

As a last resort one could modify SOA record directly via LDAP (e.g. using ldbmodify). This is the method we currently use. One needs to change dnsRecord attribute of DC=@ for domain in question. add: in LDIF should appear before delete: or Samba may become inoperable. Or just pkill samba and use ldbmodify on the .ldb directly.
http://msdn.microsoft.com/en-us/library/ee898781(prot.20).aspx describes dnsRecord attribute data format
http://msdn.microsoft.com/en-us/library/cc448905(v=prot.20).aspx describes SOA record format

Thank you!

Best regards,
Dmitry Khromov

More information about the samba mailing list