[Samba] bind9 lockup problem

Arnaud FLORENT aflorent at iris-tech.fr
Mon Jan 9 15:23:13 UTC 2023 

Le 09/01/2023 à 16:00, Rowland Penny via samba a écrit :
Hi Rowland and thanks for your support.
>
>
> On 09/01/2023 14:35, Arnaud FLORENT via samba wrote:
>> Hi everyone and best wishes for 2023
>>
>>
>> I think i'm facing the bind 9 DLZ lockup problem described here:
>>
>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lockup_Problem 
>>
>>
>>
>> running samba 4.16 AD on ubuntu 20.04 with bind 9.16.15
>>
>> there are about 500 computers on the network.
>>
>>
>> quickly after bind restart, DNS response delay increase and reach 
>> client timeout (like host or dig on samba host) and named is long to 
>> stop.
>>
>>
>> if i disable dlz config on named, there are no dns outage but AD is 
>> broken.
>>
>>
>> so we setup an external dns server forwarding only query to the AD 
>> domain zone as suggested in wiki.
>
> That appears to be the fix.
>
>>
>>
>> i have a few questions:
>>
>> - before running samba 4.3 on ubuntu 16.04  with bind 9.10 , i got no 
>> outage. Does this problem appear on specific bind or samba version?
>
> Possibly, but if it is, the versions are unknown.
ok
>
>>
>> - is there a metric or log  i can check in samba or named stats 
>> (returned by running rndc stats) to be sure this is the lockup 
>> problem described in wiki?
>
> You shouldn't be using rndc on a Bind9 with a Samba AD DC.
> You could set up logging on Bind9 (see bind9 documentation for this), 
> this may show the error better.
ok i will try this if i can
>
>>
>> - is there a way to reproduce this problem with a script from only 
>> one dns client?
>
> Anything is possible, but you would have to write the script.

sure, but as the outage is not described with details, i m not sure i 
can trigger the lock with only one dns client (there might be no lock 
issue) ...

that is more what i was asking...

>
>>
>> - is there alternative solution (than running external dns server)
>
> There are those that say you can run a separate DNS server, but I 
> wouldn't recommend this, all the DNS records are in AD.
> Are you doing something complex ?
> Do you actually need Bind9 ?

yes because i would like to keep handling other zones directly with bind


> Have you tried using the internal dns server with an external dns 
> server that forwards everything AD to a DC ?

unfortunately  no because this server was on production, i had to fix 
this as quick as possible (and i would like to keep using bind9)

>
>>
>> - is a fix in bind or samba planned?
>
> As it is thought that this is a Bind problem, a fix to Samba is 
> unlikely and Samba has no control over Bind.

OK i understand


thanks again for your support.


>
> Rowland
>
>
-- 
Arnaud FLORENT
IRIS Technologies

More information about the samba mailing list