[Samba] Problem after deleting a DNS zone

Rowland penny rpenny at samba.org
Thu Jun 27 10:39:33 UTC 2019 

On 27/06/2019 11:22, Sergio Belkin wrote:
> El mié., 26 jun. 2019 a las 15:11, Rowland penny via samba 
> (<samba at lists.samba.org <mailto:samba at lists.samba.org>>) escribió:
>
>     On 26/06/2019 18:59, Sergio Belkin via samba wrote:
>     > El mié., 26 jun. 2019 a las 14:48, Rowland penny via samba (<
>     > samba at lists.samba.org <mailto:samba at lists.samba.org>>) escribió:
>     >
>     >> On 26/06/2019 18:36, Sergio Belkin via samba wrote:
>     >>> I've seen this behaviour:
>     >>>
>     >>> 1. Create a new DNS zone,eg: example.com <http://example.com>
>     >> Where did you create the zone ?
>     >>> 2. Create a independent DNS server that is now authoritative to
>     >> example.com <http://example.com>
>     >> This sounds like you recreated the 'example.com
>     <http://example.com>' zone again on another
>     >> DNS server that is external to the Samba AD DC
>     >>> 3. On samba delete the example.com <http://example.com> zone
>     with samba-tool samba-tool dns
>     >>> delete.....
>     >>>
>     >>> The result is that using samba as DNS server it does not resolve
>     >> example.com <http://example.com>
>     >>> through recursive query and fails
>     >> It wouldn't resolve 'example.com <http://example.com>' would
>     it, you have just deleted all
>     >> the zone records.
>     >>> Am I the only one with issue? I've found a workaround runninf:
>     >>>
>     >>> samba-tool dbcheck --cross-ncs --fix and then restarting the
>     service
>     >>>
>     >>> but it would nice that that was fixed. Or is there a proper way of
>     >> deleting
>     >>> zones that I don't know?
>     >> No, you are deleting the zone in the correct way, providing it
>     isn't the
>     >> AD dns domain. Your DC's should be authoritative for the AD dns
>     domain
>     >> and forward anything unknown to an external DNS server.
>     >>
>     >> Rowland
>     >>
>     >>
>     > So is this a bug? it would be great is someone try to reproduce
>     it...
>     > Greets
>     >
>     I do not think so, it might help if you answered the question I
>     asked,
>     where did you create the zone and I suppose why ?
>
>
> Sorry! I overlooked it. I've created the zone on Samba server, because 
> I needed to replicate temporarily
>
>
>     What is your AD dns domain ?
>
>
> Let's say is another-example.com <http://another-example.com>
>
>
>     What dns server are you using ? the internal dns server or Bind9 ?
>
>
> I'm using the SAMBA4 server as DNS server. It's the internal dns server.
>
Then I do not see what your problem is:

You have a Samba AD DC in the 'another-example.com' dns domain.

You added a zone called 'example.com'

You created a new DNS server for the 'example.com' dns domain

You deleted the 'example.com' zone from the AD DC.

At this point, unless you forward unknown dns queries to a DNS server 
that knows the 'example.com' dns domain, queries such as 'nslookup 
acomputer.example.com' will fail because your AD DC knows nothing about 
the 'example.com' dns domain.

Rowland

More information about the samba mailing list