[Samba] How to update the root hints for bind DLZ

Amitay Isaacs amitay at gmail.com
Thu Jun 8 09:19:21 UTC 2017 

Hi,

Let me try to clear some confusion.

On Tue, Jun 6, 2017 at 7:36 PM, Torsten Kurbad via samba <
samba at lists.samba.org> wrote:

> Hi,
>
> we are running a Samba AD on UCS 4.2, which comes with Samba 4.6.1.
>
> The DNS server (192.168.0.200) is operated by bind with the samba DLZ
> module. It also hosts several zones outside of samba.
>
> Every couple of hours, I get messages like these on the server:
>
> Jun  5 23:04:58 ucsdc1 daemon:[warning] checkhints:
>   h.root-servers.net/A (198.97.190.53) missing from hints
> Jun  5 23:04:58 ucsdc1 daemon:[warning] checkhints:
>   h.root-servers.net/A (128.63.2.53) extra record in hints
> Jun  5 23:06:48 ucsdc1 daemon:[warning] checkhints:
>   h.root-servers.net/A (198.97.190.53) missing from hints
> Jun  5 23:06:48 ucsdc1 daemon:[warning] checkhints:
>   h.root-servers.net/A (128.63.2.53) extra record in hints
>
> This is because h.root-servers.net transitioned to a new IP in the
> one any a half year ago.
> [https://www.isc.org/blogs/h-root-will-change-its-
> addresses-on-1-december-2015-what-does-this-mean-for-you/]
>
> I updated the relevant section in my /etc/bind/db.root that now looks
> like this:
>
> ;
> ; FORMERLY AOS.ARL.ARMY.MIL
> ;
> .                        3600000      NS    H.ROOT-SERVERS.NET.
> H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
> H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
>
> 'dig -t any 192.168.0.200' says:
>
> h.root-servers.net.     57555   IN      A    198.97.190.53
> h.root-servers.net.     57555   IN      AAAA 2001:500:1::53
>
>
Samba's bind-dlz module does not export root hints to BIND named.  So the
error you are seeing is an issue with your bind configuration.

Please check your named configuration and you will find an entry like:

  zone "." IN {
        type hint;
        file "db.root;
  };

This tells named to use the entries from db.root file as hints on the root
(.) domain.

If you look at the output from bind-dlz module, it will something like:

  08-Jun-2017 18:59:51.134 samba_dlz: started for DN
DC=lindom,DC=example,DC=local
  08-Jun-2017 18:59:51.134 samba_dlz: starting configure
  08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone
'lindom.example.local'
  08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone
'_msdcs.lindom.example.local'

This tells that named will use bind_dlz module for 2 zones
(lindom.example.local and _msdcs.lindom.example.local).



> However, the messages keep appearing in the log. After some
> digging I found that 'samba-tool dns roothints 192.168.0.200' says:
>
>   Name=h.root-servers.net., Records=1, Children=0
>     A: 128.63.2.53 (flags=8, serial=0, ttl=0)
>
> If I try to update this entry in the Windows DNS management console, I
> get an error message:
>
>   Failure to write NS record <h.root-servers.net>
>   Der Name ist nicht vorhanden.
>
> (Last part is German - Unfortunately, I don't have an English Windows
> version at my disposal, but loosely translated it would be something
> like "The name could not be found".)
>
> Thus, my question is: What is the correct way to update Samba's root
> hints?
>
>
The only reason for keeping the RootDNSServers zone in the AD database is
to interoperate with windows AD server running DNS service.

So updating DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones  zone  for
changing root servers is absolutely useless with bind-dlz set up.  BIND
named will never look at the entries in this zone for root domain hints.

Amitay.

More information about the samba mailing list