[Samba] Site-specific DNS (was: several offices: home dirs, local resources, ...)

Michael Tokarev mjt at tls.msk.ru
Tue Nov 22 18:25:39 UTC 2022

22.11.2022 20:55, Kris Lou via samba wroteт:
>> (I tried to hack DNS for this, with unbound, - it turned out their
>> local-data override does not provide CNAMEs; when I asked about
>> this, they told to use AD-provided functionality for this, - which
>> I'm trying to implement, so far unsuccessfully).
> Unbound should be able to functionally do this with local-data overrides,
> though I may not have the proper syntax for it.  (I use it on pfSense, with
> only a few "custom options" specified to override a target's A record.
> Perhaps this is the difference in syntax, and why they do not provide true
> CNAMEs.).  DNSMasq will do it as well, and is super easy to configure, but
> much less capable.

Yes, unbound can override things with local-data.  With one exception: local-data
does not support CNAMEs.  Or, rather, CNAME expansion: when asked for A record
and there's CNAME with that name, unbound return this CNAME only, so a stub
resolver assumes the name does not exist.

Why not A, why CNAME? This is because of the SPN thing.  If I add second "FS A"
record, windows will not log in to this FS server without SPN of cifs/FS@ being
in its keytab.  But with CNAME, this SPN is not required - I don't know why this
is so, but I can loging using alternative CNAME but not alternative A.
This is why I asked about duplicating SPN.

There IS a way to use CNAMEs with unbound -- with RPZ.

I asked several times why it's so difficult to implement CNAME expansion in
unbound in local-data.  The answer was sort of - "because unbound is not a
full-featured auth nameserver". Although now unbound does have auth-zones
(which also have fun things with CNAMEs, but it is possible to get them
to work).

This is actually of the same theme: I ask one question, but the reply comes
to entirely different question.  That's why another question comes to my mind:
what's wrong with my questions.  Just like in this thread has been several
times already.



More information about the samba mailing list