[Samba] Is there any tool to convert DNS database to zone files?

[Sami Hulkko]

Joachim,

Thank you that clarified the situation. In this case DNSSEC would be used internally by Linux server and PC's for SSH DNSSEC support that Samba DNS options or implementations do not provide. Plain BIND9 server can handle and provide DNSSEC therefore conversion of Samba DNS database to zone files for barebone BIND9 was my interest.

SH

On 24/04/2025 18.45, Joachim Lindenberg via samba wrote:
>> On Thu, 24 Apr 2025 10:48:02 +0300
>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> The case I have is dns-sec that with current samba DC implementations
>>> with samba native or samba with Bind9 do not work. In Bind9 native
>>> this feature(dns-sec) is available.
>>>
>> Samba AD does not implement DNSSEC, so I fail to see what using a different dns server will get you.
>>
>> Rowland
>>
> My take: bind supports signing of static data, whereas Samba serves dynamic data and would have to sign on the fly. Imho dynamic signing should be added to bind, not samba, if at all.
> You might get to DNSSEC for your domain, by adding a DNS-server in front of bind that signs all data returned by a samba-ad-dc (bind + dynamic data of samba) on the fly.
> You might also consider using DoT or DoH as an alternative, depending on what you want to achieve. Especially in a Windows 11 environment this likely the better approach as the DNS client does not validate DNSSEC anyway. And if you use something like a ph-hole to address tracking, telemetry, and other unwanted sites, then you don´t want the client to validate but to establish trust to your resolver.
>
> Joachim
>
>
-- 
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com