[Samba] DNS issues after FSMO seize
Rowland penny
rpenny at samba.org
Tue Apr 5 09:33:02 UTC 2016
On 05/04/16 09:33, mathias dufresne wrote:
>
>
> 2016-04-04 14:20 GMT+02:00 Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>>:
>
> On 04/04/16 10:23, mathias dufresne wrote:
>
> SOA means "this DNS se'rver can modify the zone".
>
>
> No it doesn't, it stands for 'Start Of Authority' and contains who
> to contact for the domain records.
>
>
> Rowland... thank you again Captain Obvious. Yes SOA means Start Of
> Authority, but I took time explain to clarify things which are clear
> for everyone.
You might not believe it, but there are people who don't know What SOA
means, so whilst you knew what you meant, there will have been others
who didn't.
> Now why when you want to update DNS you need to find SOA? Because they
> are name server which can write the zone. With bind and no DLZ it's
> the master, with dlz it's all name server you configured to be able to
> modify the zone.
Can I point out that you shouldn't use Bind with flat files, they do not
replicate, or will this upset you?
>
> Using Bind-DLZ all DNS servers can modify the AD zones, they
> all reply "I
> am the SOA" when you ask them about SOA for AD zones.
>
>
> Sorry, but this, as standard, isn't correct, unless you add the
> other DC NS records to the SOA, only the first DC is in the SOA.
>
>
> You don't even tried! You come here to me I'm wrong and you don't even
> took time to verify! Stop answering em if you don't know what you
> speak about. Thank you.
I do know what I am talking about, I at least have tested this.
>
> Here is a test I did for you start to understand better DNS and
> perhaps stop telling stupid things:
>
> This server, dns20, uses as a resolver itself.
> When asking for NS, there two: dc200 and dc100.
> When asking SOA there is one: the name server which replied, it
> replied "I am SOA".
>
> In AD DB SOA is dc200 which my FSMO.
>
> dns20:~# dig ad.dgfip.finances.gouv.fr
> <http://ad.dgfip.finances.gouv.fr> -t NS
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>>
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr> -t NS
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2556
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. IN NS
>
> ;; ANSWER SECTION:
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900
> IN NS dc200.ad.dgfip.finances.gouv.fr
> <http://dc200.ad.dgfip.finances.gouv.fr>.
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900
> IN NS dc100.ad.dgfip.finances.gouv.fr
> <http://dc100.ad.dgfip.finances.gouv.fr>.
>
> ;; Query time: 1 msec
> ;; SERVER: 10.156.32.99#53(10.156.32.99)
> ;; WHEN: mar. avril 05 10:16:53 CEST 2016
> ;; MSG SIZE rcvd: 94
>
> dns20:~# dig ad.dgfip.finances.gouv.fr
> <http://ad.dgfip.finances.gouv.fr> -t SOA
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>>
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr> -t SOA
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58991
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. IN SOA
>
> ;; ANSWER SECTION:
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 3600
> IN SOA dns20.ad.dgfip.finances.gouv.fr
> <http://dns20.ad.dgfip.finances.gouv.fr>.
> hostmaster.ad.dgfip.finances.gouv.fr
> <http://hostmaster.ad.dgfip.finances.gouv.fr>. 462 900 600 86400 3600
>
> ;; AUTHORITY SECTION:
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900
> IN NS dc100.ad.dgfip.finances.gouv.fr
> <http://dc100.ad.dgfip.finances.gouv.fr>.
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900
> IN NS dc200.ad.dgfip.finances.gouv.fr
> <http://dc200.ad.dgfip.finances.gouv.fr>.
>
> ;; Query time: 1 msec
> ;; SERVER: 10.156.32.99#53(10.156.32.99)
> ;; WHEN: mar. avril 05 10:16:58 CEST 2016
> ;; MSG SIZE rcvd: 147
>
> Same test on dc102, I don't search again for NS as the reply don't
> change. It changes only for SOA.
>
> dc102:~# dig -t SOA ad.dgfip.finances.gouv.fr
> <http://ad.dgfip.finances.gouv.fr>
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> -t SOA
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21947
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. IN SOA
>
> ;; ANSWER SECTION:
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 3600
> IN SOA dc102.ad.dgfip.finances.gouv.fr
> <http://dc102.ad.dgfip.finances.gouv.fr>.
> hostmaster.ad.dgfip.finances.gouv.fr
> <http://hostmaster.ad.dgfip.finances.gouv.fr>. 462 900 600 86400 3600
>
> ;; AUTHORITY SECTION:
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900
> IN NS dc100.ad.dgfip.finances.gouv.fr
> <http://dc100.ad.dgfip.finances.gouv.fr>.
> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900
> IN NS dc200.ad.dgfip.finances.gouv.fr
> <http://dc200.ad.dgfip.finances.gouv.fr>.
>
> ;; Query time: 1 msec
> ;; SERVER: 10.154.102.166#53(10.154.102.166)
> ;; WHEN: mar. avril 05 10:22:23 CEST 2016
> ;; MSG SIZE rcvd: 147
>
>
All this show is that you have added the second DCs NS record to the SOA
>
> Using Internal DNS I expect all DNS servers can modify the AD
> zones also
> (that's internal stuff) but even if they can modify the AD
> zone locally
> that's is not the process chosen by Samba Team. Samba Internal
> DNS relies
> on DB content to reply to SOA query and there is only one SOA
> in the DB.
> So with internal DNS you will have always only one SOA.
>
>
> As standard this is true, but you can add the DC records to the
> SOA record in AD and then Bind dlz will show each DC as being the
> owner of the SOA, but as you say, the internal DNS doesn't.
>
>
> Yes internal does not follow standard.
Again I agree with you here.
>
>
> This is an issue because if your SOA is down and some DC has
> DNS updates to
> send, updates will fail because no SOA available.
> And when seizing roles because you are about to remove old
> FSMO, that's the
> same: once the FSMO is removed no more SOA to apply DNS
> updates on.
>
>
> The problem isn't if you remove a DC, it is that, as standard,
> there is only one NS in the SOA.
>
>
> Missed. SOA as nothing to do with NS. I could write again the
> difference, but you don't trust me. If I don't say same as you, I'm
> wrong (until I show the contrary).
I thought we agreed what SOA means, 'Start Of Authority' and what does
it contain, the nameserver (NS) to contact for the domain records, how
can this have nothing to do with 'NS' ????
>
> As internal does not follow standard, it must move SOA at some moments
> (hard to define all because conditional behaviour).
Sorry, but I do not understand that last statement.
>
>
>
> For me, I can be wrong, this behaviour comes from the fact
> Samba uses
> "nsupdate" command to push DNS updates. nsupdate comes from
> Bind tools
> suite, as it is bind tool it follows the protocol. And the
> protocol says
> "updates can be pushed only on SOA". So nsupdate first ask the
> zone to be
> modified what is the SOA to push updates on that server.
>
>
> I don't think the problem is with 'nsupdate', I think it is with
> the way the internal DNS uses the SOA.
>
>
> You who don't seem to test much, do you run a tcpdump when using
> nsupdate -g /path/to/file.generated_by_samba_dnsupdate?
> If you did that you would have seen the first action of nsupdate is to
> find the SOA (because SOA is or are the place(s) to push changes).
No, I don't, but then that is probably because I don't have any problems
with DHCP & DNS. Also SOA isn't the place to push changes, it is the
place that tells you where to push changes.
>
>
> IMHO this should be managed by Samba itself rather than
> relying on Samba
> admins DNS knowledge.
> Samba Internal DNS should be able to push update locally and
> Samba internal
> DNS should answer "I am SOA" as they can push DNS updates
> locally (they
> have access to the DB, they can push updates, even if this
> needs to write
> some code).
>
>
> Totally agree with you, do you want to write this code ?
>
>
> No.
OK, just thought I would ask.
>
> Or samba_dnsupdate should not use by default nsupdate from
> bind tools when
> using internal DNS but rather use "samba-tool dns ..." which
> pushes updates
> locally.
>
>
> Do you mean like archlinux did with dhcp ?
>
>
> dhcp on archlinux has some dependancy on samba4 in AD mode? I didn't
> noticed that... Because for dhcp start to use samba_dnsupdate or
> samba-tool there is certainly some work to do in dhcp code...
Here again you are wrong, for a long time DHCP has had the ability to
run a script when updating a dhcp lease. I have been using this for
about 4 years now and it just works, my script uses 'nsupdate',
Archlinux had a similar script, but theirs used samba-tool.
>
> I'm joking but seriously, I don't see any relation between arch, dhcp
> and samba tools, so I don't see the point of that question.
Well obviously you don't, because you never went looking for them.
>
> And before you start thinking I am trying to put you down, I am
> not, I am just pointing out what *I* see as mistakes. If you have
> any problems with what I write, provide proof of where I am wrong
> and I will apologise.
>
>
> I think I did. For both: being p****d of in the morning and giving you
> explanations.
I see no reason to apologise yet, come up with valid proof that what I
am saying is wrong and I will.
Can you also please moderate your language.
Rowland
More information about the samba
mailing list