[Samba] Bogus dnsRecord attribute with Rank==0

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Jan 22 14:40:24 UTC 2021


I'm running an AD Domain using Samba 4.9.5 on Debian 10. I recently encountered
an issue where a DNS record started acting funny. I'll call the record

We're not sure of the exact sequence, but it involved changing a CNAME and
ended like this:
- Admin 1 deleted the DNS record using Windows RSAT DNS Manager.
- Admin 2 recreated a DNS record (with that name), but it would not resolve. He
  was surprised to see that Admin 1 was the owner on the new record (in DNS
- Admin 2 deleted the record again.

I started investigating and confirmed that the record was not present in DNS

When I queried the whole zone, I would see sw1 with 0 Records:

    dc1:~$ samba-tool dns query dc1 example.com '@' ALL | grep sw1
      Name=sw1, Records=0, Children=0

Oddly, when I query for `sw1`, it shows up with weird results:

    dc1:~$ samba-tool dns query dc1 example.com 'sw1' ALL
      Name=, Records=0, Children=0

Why is `Name=` empty?! And if there are no Records and no Children then it
shouldn't exist at all, right?

So then I dug into the DNS LDAP objects using ADSI Edit
(DC=DomainDnsZones,DC=example,DC=com). I was surprised to see an object:

It had one dnsRecord [1] attribute with the following (modified/redacted) data:

    2A 00 05 00 05 00 00 00 BD 00 00 00 00 00 0E 10 00 00 00 00 00 00 00 00 ...

Decoding this manually, I found:

        DataLength: 42
        Type: 5             (DNS_TYPE_CNAME)
        Version: 5
        Rank: 0             (No RANK_* flags set!)
        Flags: 0
        Serial: 189
        TtlSeconds: 3600
        Reserved: 0
        TimeStamp: 0
        Data: ...

Note that Rank is 0, which means none of the RANK_* flags are set!

In other funtional records, I see Rank=0xF0 (RANK_ZONE, which means "The record
comes from an authoritative zone.")

So this "stale" dnsRecord attribute with Rank=0:
- Somehow prevents the "good" dnsRecord from working
- Does not appear in any DNS "views" (a DNS query, samba-tool, or DNS Manager)
- Keeps the owning LDAP `dnsNode` object alive/around
  - Which is why Admin 1 continually showed up as the owner, even though
    Admin 2 thought he re-created the record

To fix this, I:
- Deleted the `sw1` A record in DNS Manager
- Renamed the `sw1` dnsNode object in ADSI Edit to `xxx-broken-sw1`
  - Confirmed that `samba-tool dns query` gave the expected non-results.
- Created the record as usual.

So of course, the big question is: "How the hell did Rank get set to 0x00 on
this dnsRecord?"

I can't find anywhere in the samba source code that would ever set Rank=0.
But there is plenty of code (e.g. `dns_fill_records_array`) that explicitly
checks for DNS_RANK_ZONE.

I have to assume that the Windows "DNS Manager" RSAT tool did this (via LDAP),
but I have no idea why, nor can I recreate this.

I still have the xxx-broken-sw1 record for forensic purposes, although I'd
like to delete it soon.

Has anyone ever seen anything like this?

Best regards,
Jonathon Reinhart

[1]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/6912b338-5472-4f59-b912-0edb536b6ed8

More information about the samba mailing list