[Samba] Bogus dnsRecord attribute with Rank==0

Sat Jan 23 11:17:35 UTC 2021

On 22.01.2021 16:47, L.P.H. van Belle via samba wrote:
> You have 4 options..
>
> 1, use sernet the packages and buy support with it.
> 2, use debian packages but 4.9.x is way to old.
>     IF this is a minimal installed server, upgrade to bullseye.
>     Then your on 4.13.3
> 3, Use my repo. Upgrade to at least 4.12.x
> 4, compile latest yourself.
>
> you've hitted old bugs.
> the only good fix is upgrade samba.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jonathon Reinhart
>> via samba
>> Verzonden: vrijdag 22 januari 2021 15:40
>> Aan: samba
>> Onderwerp: [Samba] Bogus dnsRecord attribute with Rank==0
>>
>> Hello,
>>
>> I'm running an AD Domain using Samba 4.9.5 on Debian 10. I recently
>> encountered
>> an issue where a DNS record started acting funny. I'll call the record
>> `sw1.example.com`.
>>
>> We're not sure of the exact sequence, but it involved changing a CNAME and
>> ended like this:
>> - Admin 1 deleted the DNS record using Windows RSAT DNS Manager.
>> - Admin 2 recreated a DNS record (with that name), but it would not
>> resolve. He
>>    was surprised to see that Admin 1 was the owner on the new record (in
>> DNS
>>    Manager).
>> - Admin 2 deleted the record again.
>>
>> I started investigating and confirmed that the record was not present in
>> DNS
>> Manager.
>>
>> When I queried the whole zone, I would see sw1 with 0 Records:
>>
>>      dc1:~$ samba-tool dns query dc1 example.com '@' ALL | grep sw1
>>        Name=sw1, Records=0, Children=0
>>
>> Oddly, when I query for `sw1`, it shows up with weird results:
>>
>>      dc1:~$ samba-tool dns query dc1 example.com 'sw1' ALL
>>        Name=, Records=0, Children=0
>>
>> Why is `Name=` empty?! And if there are no Records and no Children then it
>> shouldn't exist at all, right?
>>
>> So then I dug into the DNS LDAP objects using ADSI Edit
>> (DC=DomainDnsZones,DC=example,DC=com). I was surprised to see an object:
>> DC=sw1,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
>>
>> It had one dnsRecord [1] attribute with the following (modified/redacted)
>> data:
>>
>>      2A 00 05 00 05 00 00 00 BD 00 00 00 00 00 0E 10 00 00 00 00 00 00 00
>> 00 ...
>>
>> Decoding this manually, I found:
>>
>>      dnsRecord:
>>          DataLength: 42
>>          Type: 5             (DNS_TYPE_CNAME)
>>          Version: 5
>>          Rank: 0             (No RANK_* flags set!)
>>          Flags: 0
>>          Serial: 189
>>          TtlSeconds: 3600
>>          Reserved: 0
>>          TimeStamp: 0
>>          Data: ...
>>
>> Note that Rank is 0, which means none of the RANK_* flags are set!
>>
>> In other funtional records, I see Rank=0xF0 (RANK_ZONE, which means "The
>> record
>> comes from an authoritative zone.")
>>
>> So this "stale" dnsRecord attribute with Rank=0:
>> - Somehow prevents the "good" dnsRecord from working
>> - Does not appear in any DNS "views" (a DNS query, samba-tool, or DNS
>> Manager)
>> - Keeps the owning LDAP `dnsNode` object alive/around
>>    - Which is why Admin 1 continually showed up as the owner, even though
>>      Admin 2 thought he re-created the record
>>
>> To fix this, I:
>> - Deleted the `sw1` A record in DNS Manager
>> - Renamed the `sw1` dnsNode object in ADSI Edit to `xxx-broken-sw1`
>>    - Confirmed that `samba-tool dns query` gave the expected non-results.
>> - Created the record as usual.
>>
>> So of course, the big question is: "How the hell did Rank get set to 0x00
>> on
>> this dnsRecord?"
>>
>> I can't find anywhere in the samba source code that would ever set Rank=0.
>> But there is plenty of code (e.g. `dns_fill_records_array`) that
>> explicitly
>> checks for DNS_RANK_ZONE.
>>
>> I have to assume that the Windows "DNS Manager" RSAT tool did this (via
>> LDAP),
>> but I have no idea why, nor can I recreate this.
>>
>> I still have the xxx-broken-sw1 record for forensic purposes, although I'd
>> like to delete it soon.
>>
>> Has anyone ever seen anything like this?
>>
>> Best regards,
>> Jonathon Reinhart
>>
>>
>> [1]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
>> dnsp/6912b338-5472-4f59-b912-0edb536b6ed8
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Yes, I am seeing this problem from 4.9.5 up to 4.12.11.

Easily reproducible: reverse zone: add a record and edit the name 
(forget to add  the domain in the FQDN at the start and correct it). 
After a refresh the record is not visible anymore.

if you correct the Zero after the 5 (version) to decimal 240 (I am using 
AdExplorer.exe from Sysinternals) , the record is back after a refresh 
in RSAT DNS Manager.

Mani