[Samba] Is there any tool to convert DNS database to zone files?
Joachim Lindenberg
samba at lindenberg.one
Thu Apr 24 15:45:32 UTC 2025
>On Thu, 24 Apr 2025 10:48:02 +0300
>Sami Hulkko via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> The case I have is dns-sec that with current samba DC implementations
>> with samba native or samba with Bind9 do not work. In Bind9 native
>> this feature(dns-sec) is available.
>>
>
>Samba AD does not implement DNSSEC, so I fail to see what using a different dns server will get you.
>
>Rowland
>
My take: bind supports signing of static data, whereas Samba serves dynamic data and would have to sign on the fly. Imho dynamic signing should be added to bind, not samba, if at all.
You might get to DNSSEC for your domain, by adding a DNS-server in front of bind that signs all data returned by a samba-ad-dc (bind + dynamic data of samba) on the fly.
You might also consider using DoT or DoH as an alternative, depending on what you want to achieve. Especially in a Windows 11 environment this likely the better approach as the DNS client does not validate DNSSEC anyway. And if you use something like a ph-hole to address tracking, telemetry, and other unwanted sites, then you don´t want the client to validate but to establish trust to your resolver.
Joachim
More information about the samba
mailing list