[Samba] DNS issues after FSMO seize
mathias dufresne
infractory at gmail.com
Tue Apr 5 12:57:25 UTC 2016
I rewrite that mail 'cause I sent it to Rowland only. No change in my
previous response, even if the tone could have been changed, I was really
angry to receive a mail telling me I'm wrong without any information or
explanation on what I was wrong. I am wrong really often, that's not the
point, I can manage it. The point is no explanation when the purpose of
mailing is exchange, knowledge exchange.
2016-04-05 11:33 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 05/04/16 09:33, mathias dufresne wrote:
>
>>
>>
>> 2016-04-04 14:20 GMT+02:00 Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>>:
>>
>> On 04/04/16 10:23, mathias dufresne wrote:
>>
>> SOA means "this DNS se'rver can modify the zone".
>>
>>
>> No it doesn't, it stands for 'Start Of Authority' and contains who
>> to contact for the domain records.
>>
>>
>> Rowland... thank you again Captain Obvious. Yes SOA means Start Of
>> Authority, but I took time explain to clarify things which are clear for
>> everyone.
>>
>
> You might not believe it, but there are people who don't know What SOA
> means, so whilst you knew what you meant, there will have been others who
> didn't.
>
You try to moderate your words. If someone thought SOA stands for "this DNS
se'rver can modify the zone" where no word starts from S, A or O, I can't
do anything for them.
>
> Now why when you want to update DNS you need to find SOA? Because they are
>> name server which can write the zone. With bind and no DLZ it's the master,
>> with dlz it's all name server you configured to be able to modify the zone.
>>
>
> Can I point out that you shouldn't use Bind with flat files, they do not
> replicate, or will this upset you?
>
Obvious and useless. Obvious we can't use flat file easily (for whose who
read a little bit about Samba AD). Useless because that is not the point.
The point is still to make difference between SOA and NS and also to make
both notions clearer in some minds, especially yours.
>
>> Using Bind-DLZ all DNS servers can modify the AD zones, they
>> all reply "I
>> am the SOA" when you ask them about SOA for AD zones.
>>
>>
>> Sorry, but this, as standard, isn't correct, unless you add the
>> other DC NS records to the SOA, only the first DC is in the SOA.
>>
>>
>> You don't even tried! You come here to me I'm wrong and you don't even
>> took time to verify! Stop answering em if you don't know what you speak
>> about. Thank you.
>>
>
> I do know what I am talking about, I at least have tested this.
>
Perhaps you were speaking about SOA into the database. I spoke about SOA
outside the DB, how it is used.
>
>
>> Here is a test I did for you start to understand better DNS and perhaps
>> stop telling stupid things:
>>
>> This server, dns20, uses as a resolver itself.
>> When asking for NS, there two: dc200 and dc100.
>> When asking SOA there is one: the name server which replied, it replied
>> "I am SOA".
>>
>> In AD DB SOA is dc200 which my FSMO.
>>
>> dns20:~# dig ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>
>> -t NS
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> ad.dgfip.finances.gouv.fr <
>> http://ad.dgfip.finances.gouv.fr> -t NS
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2556
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. IN NS
>>
>> ;; ANSWER SECTION:
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900 IN
>> NS dc200.ad.dgfip.finances.gouv.fr <
>> http://dc200.ad.dgfip.finances.gouv.fr>.
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900 IN
>> NS dc100.ad.dgfip.finances.gouv.fr <
>> http://dc100.ad.dgfip.finances.gouv.fr>.
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 10.156.32.99#53(10.156.32.99)
>> ;; WHEN: mar. avril 05 10:16:53 CEST 2016
>> ;; MSG SIZE rcvd: 94
>>
>> dns20:~# dig ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>
>> -t SOA
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> ad.dgfip.finances.gouv.fr <
>> http://ad.dgfip.finances.gouv.fr> -t SOA
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58991
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. IN
>> SOA
>>
>> ;; ANSWER SECTION:
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 3600 IN
>> SOA dns20.ad.dgfip.finances.gouv.fr <
>> http://dns20.ad.dgfip.finances.gouv.fr>.
>> hostmaster.ad.dgfip.finances.gouv.fr <
>> http://hostmaster.ad.dgfip.finances.gouv.fr>. 462 900 600 86400 3600
>>
>> ;; AUTHORITY SECTION:
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900 IN
>> NS dc100.ad.dgfip.finances.gouv.fr <
>> http://dc100.ad.dgfip.finances.gouv.fr>.
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900 IN
>> NS dc200.ad.dgfip.finances.gouv.fr <
>> http://dc200.ad.dgfip.finances.gouv.fr>.
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 10.156.32.99#53(10.156.32.99)
>> ;; WHEN: mar. avril 05 10:16:58 CEST 2016
>> ;; MSG SIZE rcvd: 147
>>
>> Same test on dc102, I don't search again for NS as the reply don't
>> change. It changes only for SOA.
>>
>> dc102:~# dig -t SOA ad.dgfip.finances.gouv.fr <
>> http://ad.dgfip.finances.gouv.fr>
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> -t SOA
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21947
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. IN
>> SOA
>>
>> ;; ANSWER SECTION:
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 3600 IN
>> SOA dc102.ad.dgfip.finances.gouv.fr <
>> http://dc102.ad.dgfip.finances.gouv.fr>.
>> hostmaster.ad.dgfip.finances.gouv.fr <
>> http://hostmaster.ad.dgfip.finances.gouv.fr>. 462 900 600 86400 3600
>>
>> ;; AUTHORITY SECTION:
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900 IN
>> NS dc100.ad.dgfip.finances.gouv.fr <
>> http://dc100.ad.dgfip.finances.gouv.fr>.
>> ad.dgfip.finances.gouv.fr <http://ad.dgfip.finances.gouv.fr>. 900 IN
>> NS dc200.ad.dgfip.finances.gouv.fr <
>> http://dc200.ad.dgfip.finances.gouv.fr>.
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 10.154.102.166#53(10.154.102.166)
>> ;; WHEN: mar. avril 05 10:22:23 CEST 2016
>> ;; MSG SIZE rcvd: 147
>>
>>
>>
> All this show is that you have added the second DCs NS record to the SOA
>
No. It shows I had 2 NS declared dc100 and dc200 and it shows dc102
considers itself as SOA, as do dns20, both are not declared as NS, nor SOA.
I'll develop that later, I must go in few minutes...
And as I'm back:
Explanation:
I don't remind how to extract SOA LDAP object from AD DB but I think we
would agree that SOA reference only one DC. Perhaps it can also include
several NS referencing several DC as NS, but still: one SOA.
In the following one-liner I send DNS request to each of my 20 DC, asking
them all which server is SOA, in their opinion.
I filtered the reply to keep only the answer line. Yes I could certainly
have used dig better to avoid that double grep. dig usage is not the point
of our argue.
dc102:~# for i in 1 2; do for j in {0..9} ; do dig -t SOA
ad.dgfip.finances.gouv.fr @dc${i}0${j} | grep 'ANSWER SECTION:' -A1 | grep
-v 'ANSWER SECTION:' ; done ; done
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc100.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc101.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc102.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc103.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc104.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc105.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc106.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc107.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc108.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc109.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc200.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc201.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc202.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc203.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc204.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc205.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc206.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc207.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc208.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
ad.dgfip.finances.gouv.fr. 3600 IN SOA
dc209.ad.dgfip.finances.gouv.fr. hostmaster.ad.dgfip.finances.gouv.fr. 463
900 600 86400 3600
What that shows? Each and every DC I have consider themselves as SOA. So as
a matter of fact, there are several SOA.
To be sure here is the status of NS declaration for my domain:
dc102:~# dig -t NS ad.dgfip.finances.gouv.fr
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> -t NS
ad.dgfip.finances.gouv.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18834
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ad.dgfip.finances.gouv.fr. IN NS
;; ANSWER SECTION:
ad.dgfip.finances.gouv.fr. 900 IN NS
dc100.ad.dgfip.finances.gouv.fr.
;; Query time: 1 msec
;; SERVER: 10.154.102.166#53(10.154.102.166)
;; WHEN: mar. avril 05 14:35:35 CEST 2016
;; MSG SIZE rcvd: 74
I removed from NS list machine named dc200 which is FSMO and which is also
the one declared as SOA into AD LDAP DB.
So every name server tells to who wants to know they are all SOA.
SOA in AD DB is not taken in account when DNS client ask for SOA to DNS
server
NS record as no influence on how name server would react regarding what
they reply about SOA (one NS, 20 SOA...)
>
>> Using Internal DNS I expect all DNS servers can modify the AD
>> zones also
>> (that's internal stuff) but even if they can modify the AD
>> zone locally
>> that's is not the process chosen by Samba Team. Samba Internal
>> DNS relies
>> on DB content to reply to SOA query and there is only one SOA
>> in the DB.
>> So with internal DNS you will have always only one SOA.
>>
>>
>> As standard this is true, but you can add the DC records to the
>> SOA record in AD and then Bind dlz will show each DC as being the
>> owner of the SOA, but as you say, the internal DNS doesn't.
>>
>>
>> Yes internal does not follow standard.
>>
>
> Again I agree with you here.
>
Nice.
>
>
>>
>> This is an issue because if your SOA is down and some DC has
>> DNS updates to
>> send, updates will fail because no SOA available.
>> And when seizing roles because you are about to remove old
>> FSMO, that's the
>> same: once the FSMO is removed no more SOA to apply DNS
>> updates on.
>>
>>
>> The problem isn't if you remove a DC, it is that, as standard,
>> there is only one NS in the SOA.
>>
>>
>> Missed. SOA as nothing to do with NS. I could write again the difference,
>> but you don't trust me. If I don't say same as you, I'm wrong (until I show
>> the contrary).
>>
>
> I thought we agreed what SOA means, 'Start Of Authority' and what does it
> contain, the nameserver (NS) to contact for the domain records, how can
> this have nothing to do with 'NS' ????
>
NS and SOA are linked as they both exist to reference name servers of
mentioned zone. But one is to know which machine you can use to ask for
names (NS) the other exist to know to which machine you will send update
request.
And SOA is not necessarily declared as NS, SOA could also be configured to
refuse standard requests (allow-query: none;), SOA is not related to
resolving request. NS is about resolving requests. SOA is about write
requests.
Two things, write and read, really close, but not the same.
>
>
>> As internal does not follow standard, it must move SOA at some moments
>> (hard to define all because conditional behaviour).
>>
>
> Sorry, but I do not understand that last statement.
>
What I meant is the good point of AD is automation (it is hard enough with
automation to not remove it).
When Samba demote itself (of course because an admin ask Samba to do it)
the FSMO, the SOA must follow the FSMO.There are others cases but that one
is the simpler I can think about right now.
With internal DNS, demoting FSMO without moving SOA implies nsupdate can't
send updates as SOA is not responding any more (demoted).
>
>
>>
>>
>> For me, I can be wrong, this behaviour comes from the fact
>> Samba uses
>> "nsupdate" command to push DNS updates. nsupdate comes from
>> Bind tools
>> suite, as it is bind tool it follows the protocol. And the
>> protocol says
>> "updates can be pushed only on SOA". So nsupdate first ask the
>> zone to be
>> modified what is the SOA to push updates on that server.
>>
>>
>> I don't think the problem is with 'nsupdate', I think it is with
>> the way the internal DNS uses the SOA.
>>
>>
>> You who don't seem to test much, do you run a tcpdump when using nsupdate
>> -g /path/to/file.generated_by_samba_dnsupdate?
>> If you did that you would have seen the first action of nsupdate is to
>> find the SOA (because SOA is or are the place(s) to push changes).
>>
>
> No, I don't, but then that is probably because I don't have any problems
> with DHCP & DNS. Also SOA isn't the place to push changes, it is the place
> that tells you where to push changes.
>
I do because I wanted to know how things work.
And using tcpdump during nsupdate shown that nsupdate uses SOA to send
request to.
That is the reason of numerous Samba users, especially when they ask about
failover: with internal DNS there is one and only one SOA. This machine
with SOA is down, nsupdate can't push updates.
>
>
>>
>> IMHO this should be managed by Samba itself rather than
>> relying on Samba
>> admins DNS knowledge.
>> Samba Internal DNS should be able to push update locally and
>> Samba internal
>> DNS should answer "I am SOA" as they can push DNS updates
>> locally (they
>> have access to the DB, they can push updates, even if this
>> needs to write
>> some code).
>>
>>
>> Totally agree with you, do you want to write this code ?
>>
>>
>> No.
>>
>
> OK, just thought I would ask.
>
>
>> Or samba_dnsupdate should not use by default nsupdate from
>> bind tools when
>> using internal DNS but rather use "samba-tool dns ..." which
>> pushes updates
>> locally.
>>
>>
>> Do you mean like archlinux did with dhcp ?
>>
>>
>> dhcp on archlinux has some dependancy on samba4 in AD mode? I didn't
>> noticed that... Because for dhcp start to use samba_dnsupdate or samba-tool
>> there is certainly some work to do in dhcp code...
>>
>
> Here again you are wrong, for a long time DHCP has had the ability to run
> a script when updating a dhcp lease. I have been using this for about 4
> years now and it just works, my script uses 'nsupdate', Archlinux had a
> similar script, but theirs used samba-tool.
>
I'm sorry but as for anyone there, I didn't tried everything. And as I
don't use personaly DNS, as I'm not paid to include DHCP into the AD I'm
building, I don't dig too much in that direction and yes, of course I'm
lacking knowledge on that subject. And on lot of others :)
>
>
>
>> I'm joking but seriously, I don't see any relation between arch, dhcp and
>> samba tools, so I don't see the point of that question.
>>
>
> Well obviously you don't, because you never went looking for them.
>
True: I didn't dug into DHCP for years and it was about PXE, not AD and
auto-update into DNS.
>
>
>> And before you start thinking I am trying to put you down, I am
>> not, I am just pointing out what *I* see as mistakes. If you have
>> any problems with what I write, provide proof of where I am wrong
>> and I will apologise.
>>
>>
>> I think I did. For both: being p****d of in the morning and giving you
>> explanations.
>>
>
> I see no reason to apologise yet, come up with valid proof that what I am
> saying is wrong and I will.
>
>
> Can you also please moderate your language.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list