[Samba] How to update the root hints for bind DLZ

Garming Sam garming at catalyst.net.nz
Thu Jun 8 00:03:45 UTC 2017 

The RootDNSServers zone is special in a number of ways. It has no SOA
record for instance, and so there's a lot of special casing around it.
Looking on a Windows DC, dnscmd /enumzones lists dot as a zone and
dnscmd /enumrecords . returns the root servers (as well as ..RootHints
it seems). None of this is our choice of convention unfortunately, but
it should be fairly simple to make the client tools have aliases for these.

In terms of listing a name during enumeration of zones, the fact Windows
lists . somehow, but I don't think we do, means there's more to be done
here. It may just be some more client magic (that they've done and we
may need to do) but the underlying RPC/C code which lists the zone
probably shouldn't list any strange aliases that we decide.


Cheers,

Garming

On 07/06/17 19:24, Rowland Penny via samba wrote:
> On Wed, 7 Jun 2017 15:45:39 +1200
> Garming Sam <garming at catalyst.net.nz> wrote:
>
>> It looks like the original intention in our code was to be able to
>> add/modify records with the "." zone. Trying it, there seems to be
>> other issues with using it. I'm not entirely sure if this alias is
>> valid against Windows or for which calls.
> The zone is definitely called 'RootDNSServers' not '.'
>
> If something looks like a duck, walks like a duck and quacks like a
> duck, it is a duck.
>
> The object in AD for 'RootDNSServers' looks like a zone record, it is
> in 'CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com' and
> it has the 'objectClass' dnsZone, therefore it is a zone.
>
> Samba needs to see this zone before we can even think about
> updating/changing the root records.
>
> What is the difference between:
>
> DC=devstation,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> and
>
> DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com
>
> The difference is that you can update the first record, but you cannot
> update the second, even though they are both valid DNS records in a
> zone. The only difference is that the 'samdom.example.com' zone is
> recognised by Samba and 'RootDNSServers' isn't
>
> Sorry, but I will not be testing your patches, they are the wrong fix,
> Samba needs to see the 'RootDNSServers' zone.
>
> Rowland
>
>

More information about the samba mailing list