[Samba] How to update the root hints for bind DLZ

Garming Sam garming at catalyst.net.nz
Wed Jun 7 03:45:39 UTC 2017 

It looks like the original intention in our code was to be able to
add/modify records with the "." zone. Trying it, there seems to be other
issues with using it. I'm not entirely sure if this alias is valid
against Windows or for which calls.

I just hacked a patch (see attached) to see if I could add or modify
another name server.

samba-tool  dns add  $DC_SERVER . @ NS testing
samba-tool  dns add  $DC_SERVER . testing A 1.1.1.1

samba-tool  dns roothints

  Name=, Records=14, Children=0
    NS: h.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: f.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: b.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: m.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: l.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: i.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: e.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: d.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: k.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: a.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: g.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: c.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: j.root-servers.net. (flags=40000008, serial=0, ttl=0)
    NS: testing. (flags=40000008, serial=10965, ttl=900)
  Name=h.root-servers.net., Records=1, Children=0
    A: 128.63.2.53 (flags=8, serial=0, ttl=0)
  Name=f.root-servers.net., Records=1, Children=0
    A: 192.5.5.241 (flags=8, serial=0, ttl=0)
  Name=b.root-servers.net., Records=1, Children=0
    A: 192.228.79.201 (flags=8, serial=0, ttl=0)
  Name=m.root-servers.net., Records=1, Children=0
    A: 202.12.27.33 (flags=8, serial=0, ttl=0)
  Name=l.root-servers.net., Records=1, Children=0
    A: 199.7.83.42 (flags=8, serial=0, ttl=0)
  Name=i.root-servers.net., Records=1, Children=0
    A: 192.36.148.17 (flags=8, serial=0, ttl=0)
  Name=e.root-servers.net., Records=1, Children=0
    A: 192.203.230.10 (flags=8, serial=0, ttl=0)
  Name=d.root-servers.net., Records=1, Children=0
    A: 128.8.10.90 (flags=8, serial=0, ttl=0)
  Name=k.root-servers.net., Records=1, Children=0
    A: 193.0.14.129 (flags=8, serial=0, ttl=0)
  Name=a.root-servers.net., Records=1, Children=0
    A: 198.41.0.4 (flags=8, serial=0, ttl=0)
  Name=g.root-servers.net., Records=1, Children=0
    A: 192.112.36.4 (flags=8, serial=0, ttl=0)
  Name=c.root-servers.net., Records=1, Children=0
    A: 192.33.4.12 (flags=8, serial=0, ttl=0)
  Name=j.root-servers.net., Records=1, Children=0
    A: 192.58.128.30 (flags=8, serial=0, ttl=0)
  Name=testing., Records=1, Children=0
    A: 1.1.1.1 (flags=8, serial=10965, ttl=900)


Maybe the Windows DNS management console might work now. Any tests of
RootHints in python/samba/tests/samba_tool/dnscmd.py would be
appreciated. Seeing which aliases work against Windows would be a good
idea ('.' is what Samba supports for modification but is supplying
'..RootHints' as the zone also supposed to work?). I'm also not sure if
users of the correct permission will be able (or unable) to modify this
zone.


Cheers,

Garming


On 07/06/17 02:34, Rowland Penny via samba wrote:
> On Tue, 6 Jun 2017 15:26:33 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>>> Exactly.
>>>
>>> Of course, I could try and change the data using ldbedit, but AD DNS
>>> records are stored in a binary encoded data structure that not only
>>> includes record type and value, but also a serial number, etc.
>>>
>>> Thus, such a manual change would be error prone, to say the least.
>>>
>>> Perhaps, samba-tool could be enhanced to make changing the root
>>> hints possible? It can handle "normal" DNS records, so I wouldn't
>>> expect non-trivial showstoppers...
>>>
>> This was my first thought, but after comparing the record in AD for
>> 'RootDNSServers' with the forward zone, it is a zone, but 'samba-tool
>> dns zonelist' doesn't show it. It looks like the 'C' code is where the
>> problem lies.
>>
>> I am going to raise a bug report for this.
>>
>> Rowland
>>
>>
>>
> see: https://bugzilla.samba.org/show_bug.cgi?id=12823
>
> Rowland
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dnsdb-Allow-modification-of-root-hints.patch
Type: text/x-patch
Size: 2603 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20170607/c19b9cff/0001-dnsdb-Allow-modification-of-root-hints.bin>

More information about the samba mailing list