[Samba] bind9 lockup problem

[Rowland Penny]

On 09/01/2023 14:35, Arnaud FLORENT via samba wrote:
> Hi everyone and best wishes for 2023
> 
> 
> I think i'm facing the bind 9 DLZ lockup problem described here:
> 
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lockup_Problem
> 
> 
> running samba 4.16 AD on ubuntu 20.04 with bind 9.16.15
> 
> there are about 500 computers on the network.
> 
> 
> quickly after bind restart, DNS response delay increase and reach client 
> timeout (like host or dig on samba host) and named is long to stop.
> 
> 
> if i disable dlz config on named, there are no dns outage but AD is broken.
> 
> 
> so we setup an external dns server forwarding only query to the AD 
> domain zone as suggested in wiki.

That appears to be the fix.

> 
> 
> i have a few questions:
> 
> - before running samba 4.3 on ubuntu 16.04  with bind 9.10 , i got no 
> outage. Does this problem appear on specific bind or samba version?

Possibly, but if it is, the versions are unknown.

> 
> - is there a metric or log  i can check in samba or named stats 
> (returned by running rndc stats) to be sure this is the lockup problem 
> described in wiki?

You shouldn't be using rndc on a Bind9 with a Samba AD DC.
You could set up logging on Bind9 (see bind9 documentation for this), 
this may show the error better.

> 
> - is there a way to reproduce this problem with a script from only one 
> dns client?

Anything is possible, but you would have to write the script.

> 
> - is there alternative solution (than running external dns server)

There are those that say you can run a separate DNS server, but I 
wouldn't recommend this, all the DNS records are in AD.
Are you doing something complex ?
Do you actually need Bind9 ?
Have you tried using the internal dns server with an external dns server 
that forwards everything AD to a DC ?

> 
> - is a fix in bind or samba planned?

As it is thought that this is a Bind problem, a fix to Samba is unlikely 
and Samba has no control over Bind.

Rowland