[Samba] Site-specific DNS (was: several offices: home dirs, local resources, ...)
Michael Tokarev
mjt at tls.msk.ru
Tue Nov 22 18:25:39 UTC 2022
22.11.2022 20:55, Kris Lou via samba wroteт:
>>
>>
>> (I tried to hack DNS for this, with unbound, - it turned out their
>> local-data override does not provide CNAMEs; when I asked about
>> this, they told to use AD-provided functionality for this, - which
>> I'm trying to implement, so far unsuccessfully).
>
>
> Unbound should be able to functionally do this with local-data overrides,
> though I may not have the proper syntax for it. (I use it on pfSense, with
> only a few "custom options" specified to override a target's A record.
> Perhaps this is the difference in syntax, and why they do not provide true
> CNAMEs.). DNSMasq will do it as well, and is super easy to configure, but
> much less capable.
Yes, unbound can override things with local-data. With one exception: local-data
does not support CNAMEs. Or, rather, CNAME expansion: when asked for A record
and there's CNAME with that name, unbound return this CNAME only, so a stub
resolver assumes the name does not exist.
Why not A, why CNAME? This is because of the SPN thing. If I add second "FS A"
record, windows will not log in to this FS server without SPN of cifs/FS@ being
in its keytab. But with CNAME, this SPN is not required - I don't know why this
is so, but I can loging using alternative CNAME but not alternative A.
This is why I asked about duplicating SPN.
There IS a way to use CNAMEs with unbound -- with RPZ.
I asked several times why it's so difficult to implement CNAME expansion in
unbound in local-data. The answer was sort of - "because unbound is not a
full-featured auth nameserver". Although now unbound does have auth-zones
(which also have fun things with CNAMEs, but it is possible to get them
to work).
This is actually of the same theme: I ask one question, but the reply comes
to entirely different question. That's why another question comes to my mind:
what's wrong with my questions. Just like in this thread has been several
times already.
Thanks,
/mjt
More information about the samba
mailing list