[Samba] dNSTombstoned

[Andrew Bartlett]

On Wed, 2020-03-18 at 20:48 +0100, Christian Naumer via samba wrote:
> Hello you all,
> with the new samba version out that fixes some problems with dns
> scavenging I have decided to try this feature.
> I was specifically interested for our reverse zone (PTR records)
> 
> We have one zone for VPN clients 8.0.10.in-addr.arpa. I activated the
> feature in the smb.conf as well as in the Windows DNS manager.
> Entries are deleted (not visible in DNS manager) after a while.
> 
> You can still see them in ADSI-Edit. Those that are invisible have
> "dNSTombstoned: TRUE" set the others have either FALSE or the
> attribute
> is not there at all.
> 
> My problem is this if an entry was deleted and has "dNSTombstoned:
> TRUE"
> it still has the same owner and therefore a new computer that got the
> same IP from our VPN gateway can not set this entry to point to
> itself.
> 
> Shouldn't the code that deletes (or marks as deleted/tombstoned)
> unset
> the owner? or is this by design?

Honestly, I'm not sure.  The whole dNSTombstoned thing is designed to
avoid churn of actual deleted records, which would pile up for 6 months
and overwhelm replication.  But it means they remain real records with
a real owner, and the normal ACL rules apply.

This makes sense for forward records, but less sense for reverse
records if the IP allocated isn't mostly constant.  

> Also "samba-tool domain tombstones expunge --tombstone-lifetime=0"
> does
> not delete the records with "dNSTombstoned: TRUE". Is this a
> different
> tombstone?

That would be a different tombstone, yes.

> Until now what I do is delete the entries manually in ADSI. This
> works
> as expected.
> 
> Any hint how to get this working?

I'm not sure right now.

Sorry!

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba