[Samba] How to update the root hints for bind DLZ

Amitay Isaacs amitay at gmail.com
Thu Jun 8 12:45:11 UTC 2017 

On Thu, Jun 8, 2017 at 7:40 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 8 Jun 2017 19:19:21 +1000
> Amitay Isaacs via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > Let me try to clear some confusion.
> >
> > On Tue, Jun 6, 2017 at 7:36 PM, Torsten Kurbad via samba <
> > samba at lists.samba.org> wrote:
>
> > Samba's bind-dlz module does not export root hints to BIND named.  So
> > the error you are seeing is an issue with your bind configuration.
> >
> > Please check your named configuration and you will find an entry like:
> >
> >   zone "." IN {
> >         type hint;
> >         file "db.root;
> >   };
> >
> > This tells named to use the entries from db.root file as hints on the
> > root (.) domain.
> >
> > If you look at the output from bind-dlz module, it will something
> > like:
> >
> >   08-Jun-2017 18:59:51.134 samba_dlz: started for DN
> > DC=lindom,DC=example,DC=local
> >   08-Jun-2017 18:59:51.134 samba_dlz: starting configure
> >   08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone
> > 'lindom.example.local'
> >   08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone
> > '_msdcs.lindom.example.local'
> >
> > This tells that named will use bind_dlz module for 2 zones
> > (lindom.example.local and _msdcs.lindom.example.local).
> >
>
> Yes, this is what happens for me, along with the reverse zone.
>
> >
> >
> > The only reason for keeping the RootDNSServers zone in the AD
> > database is to interoperate with windows AD server running DNS
> > service.
> >
> > So updating DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones
> > zone  for changing root servers is absolutely useless with bind-dlz
> > set up.  BIND named will never look at the entries in this zone for
> > root domain hints.
> >
>
> What does the internal dns server do ? where does it get the root
> servers from ?
>

Samba's internal dns server is an authoritative dns server and it's not a
recursive resolver.  It will resolve names only for the domains defined in
AD database.

If you want to use internal dns server as a recursive resolver, then you
have to provide a dns server which does actual resolving (samba
configuration option "dns forwarder").  Then internal dns server will
forward all the queries which it cannot resolve using the domains in the AD
database to this dns server.


> Is there some reason not to use the 'RootDNSServers' zone with Bind9 ?
>

Is there some reason why BIND should?  The root dns servers are fairly
static.

Amitay.

More information about the samba mailing list