[Samba] Problem after deleting a DNS zone

Rowland penny rpenny at samba.org
Thu Jun 27 13:47:24 UTC 2019


On 27/06/2019 14:32, Sergio Belkin wrote:
>
>
> El jue., 27 jun. 2019 07:41, Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> escribió:
>
>     On 27/06/2019 11:22, Sergio Belkin wrote:
>     > El mié., 26 jun. 2019 a las 15:11, Rowland penny via samba
>     > (<samba at lists.samba.org <mailto:samba at lists.samba.org>
>     <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>>)
>     escribió:
>     >
>     >     On 26/06/2019 18:59, Sergio Belkin via samba wrote:
>     >     > El mié., 26 jun. 2019 a las 14:48, Rowland penny via samba (<
>     >     > samba at lists.samba.org <mailto:samba at lists.samba.org>
>     <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>>)
>     escribió:
>     >     >
>     >     >> On 26/06/2019 18:36, Sergio Belkin via samba wrote:
>     >     >>> I've seen this behaviour:
>     >     >>>
>     >     >>> 1. Create a new DNS zone,eg: example.com
>     <http://example.com> <http://example.com>
>     >     >> Where did you create the zone ?
>     >     >>> 2. Create a independent DNS server that is now
>     authoritative to
>     >     >> example.com <http://example.com> <http://example.com>
>     >     >> This sounds like you recreated the 'example.com
>     <http://example.com>
>     >     <http://example.com>' zone again on another
>     >     >> DNS server that is external to the Samba AD DC
>     >     >>> 3. On samba delete the example.com <http://example.com>
>     <http://example.com> zone
>     >     with samba-tool samba-tool dns
>     >     >>> delete.....
>     >     >>>
>     >     >>> The result is that using samba as DNS server it does not
>     resolve
>     >     >> example.com <http://example.com> <http://example.com>
>     >     >>> through recursive query and fails
>     >     >> It wouldn't resolve 'example.com <http://example.com>
>     <http://example.com>' would
>     >     it, you have just deleted all
>     >     >> the zone records.
>     >     >>> Am I the only one with issue? I've found a workaround
>     runninf:
>     >     >>>
>     >     >>> samba-tool dbcheck --cross-ncs --fix and then restarting the
>     >     service
>     >     >>>
>     >     >>> but it would nice that that was fixed. Or is there a
>     proper way of
>     >     >> deleting
>     >     >>> zones that I don't know?
>     >     >> No, you are deleting the zone in the correct way,
>     providing it
>     >     isn't the
>     >     >> AD dns domain. Your DC's should be authoritative for the
>     AD dns
>     >     domain
>     >     >> and forward anything unknown to an external DNS server.
>     >     >>
>     >     >> Rowland
>     >     >>
>     >     >>
>     >     > So is this a bug? it would be great is someone try to
>     reproduce
>     >     it...
>     >     > Greets
>     >     >
>     >     I do not think so, it might help if you answered the question I
>     >     asked,
>     >     where did you create the zone and I suppose why ?
>     >
>     >
>     > Sorry! I overlooked it. I've created the zone on Samba server,
>     because
>     > I needed to replicate temporarily
>     >
>     >
>     >     What is your AD dns domain ?
>     >
>     >
>     > Let's say is another-example.com <http://another-example.com>
>     <http://another-example.com>
>     >
>     >
>     >     What dns server are you using ? the internal dns server or
>     Bind9 ?
>     >
>     >
>     > I'm using the SAMBA4 server as DNS server. It's the internal dns
>     server.
>     >
>     Then I do not see what your problem is:
>
>     You have a Samba AD DC in the 'another-example.com
>     <http://another-example.com>' dns domain.
>
>     You added a zone called 'example.com <http://example.com>'
>
>     You created a new DNS server for the 'example.com
>     <http://example.com>' dns domain
>
>     You deleted the 'example.com <http://example.com>' zone from the
>     AD DC.
>
>     At this point, unless you forward unknown dns queries to a DNS server
>     that knows the 'example.com <http://example.com>' dns domain,
>     queries such as 'nslookup
>     acomputer.example.com <http://acomputer.example.com>' will fail
>     because your AD DC knows nothing about
>     the 'example.com <http://example.com>' dns domain.
>
>
> I use google dns as fowarder to resolve anything else. It is as is 
> SAMBA would say: "I had data of example.com <http://example.com> zone, 
> but I haven't it now. I can't do nothing. Bye." :)

I wonder if this is a cache problem ??

The 'cache' says something like 'yes, I know about 'example.com' but 
when the dns server actually tries to find a specific record, there are 
no records to search because they have been deleted and as you are 
forwarding to google (who will probably know nothing about 
'example.com), you get nothing back.

> The expected I think is that it passes the query to forward unknown 
> domains.
>
> In fact the problem is gone away if I run samba-tool dbcheck 
> --cross-ncs --fix
>
Not sure why this fixed the problem, did you do anything else such as 
stopping and restarting  Samba ?

Rowland






More information about the samba mailing list