[Samba] internal dns server deletes and re-creates entries, leaving deleted objects

Andrew Bartlett abartlet at samba.org
Mon Oct 21 13:06:45 MDT 2013 

On Mon, 2013-10-21 at 10:49 +0000, dahopkins at comcast.net wrote:
> > 
> > The number of records indicated in the last email was based on these lines that were returned during the failed samba join. This is the last line of that sequence.
> > 
> > Partition[DC=DomainDnsZones,DC=ncs,DC=k12,DC=de,DC=us] objects[94443/94443] linked_values[0/0]
> 
> >These are probably deleted DNS records.  Are you using the internal DNS
> >server or bind9_dlz?  Either way, find out if this is still growing, we
> >may have an issue we need to work on here. 
> 
> We are using the internal DNS server. We have two zones (10.179.0.0/19 and 10.186.0.0/19). After a period of time, DNS quits working one of the servers and at that point authentication (using nslcd/nscd from our linux systems, and we get RPC errors on our Windows domain members) using that server also seems to fail. How can we test if this is still growing? 
> 
> Sincerely,
> Dave Hopkins

Simply check the number of records in the database, say by ldbsearch
--show-deleted -s sub -b DC=DomainDnsZones,DC=ncs,DC=k12,DC=de,DC=us 

This looks very much like what Amitay fixed for the BIND9_DLZ backend
in:

commit 169db333033b72b6f9ac1e7b23f0f2c151218c1f
Author: Amitay Isaacs <amitay at gmail.com>
Date:   Thu Feb 9 10:17:02 2012 +1100

    dlz_bind9: Do not remove LDB record in subrdataset and delrdataset
    
    This fixes the problem of large number of deleted records in DNS
    partitions due to frequent dynamic dns updates from windows
    clients. The typical pattern for dynamic update get converted
    into subrdataset() followed by addrdataset().  If there are no
    dnsRecord attributes left as a result of sub/delrdataset(),
    leave the LDB entry for dns name as is. The subsequent
    addrdataset() would add the dnsRecord attribute without
    re-creating the same entry.

Do you know if for your use case, the internal DNS server, did it only
start happening after this commit?

This code has logic that shouldn't delete an object when just changing
it's IP, but perhaps something else is wrong.  I've CC'ed Kai, the
maintainer of the internal DNS server.

commit 673678474791d2f71ba7d8d0f73e20b2a974ae9a
Author: Kai Blin <kai at samba.org>
Date:   Sat Jun 1 10:24:11 2013 +0200

    dns: Delete dnsNode objects when they are empty
    
    If an update leaves the dnsNode without any entries, the dnsNode
object
    should be deleted. Thanks to Günter Kukkukk for his excellent
debugging
    work on this one.
    
    This should fix bug #9559
    
    Signed-off-by: Kai Blin <kai at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 8b24c43b382740106474e26dec59e1419ba77306)
    
    The last 3 patches address bug #9559 - Only initial signed DNS
update for a 
    works.
    
    Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-0-test): Mon Jun  3 14:16:16 CEST 2013 on
sn-devel-104

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list