[Samba] AXFR transfer: SRV for DC missing

Markus Gschwendt office+samba at gschwendt.at
Tue Oct 28 23:34:14 UTC 2025 

On Tue, 2025-10-28 at 03:16 +0100, Markus Gschwendt via samba wrote:
> On Mon, 2025-10-27 at 18:20 -0700, Steven Monai via samba wrote:
> > On 2025-10-27 9:56 a.m., Ing. Markus Gschwendt via samba wrote:
> > 
> > > ...
> > 
> > I believe you have made an incorrect assumption. There is not just
> > one 
> > zone, but two:
> > 
> > example.internal AND _msdcs.example.internal
> > 
> > Even though the latter is a subdomain of the former, the latter is
> > a 
> > separate zone, and its contents are NOT transferred when you
> > request 
> > AXFR on example.internal. Zone transfers are not recursive.
> > 
> > Try this test instead:
> > 
> > dig  @192.168.0.XXX  _msdcs.example.internal  AXFR | grep -i srv
> > 
> > I think you will find your "missing" records are there.
> 
> Wow, thanks for that hint!
> Yes, I did read about this is a separate zone but I was not aware
> that
> subdomains are not included in the AXFR but its obvious now.
> 

I could successfully test this with clients today. Thx!


Just for the record if someone needs this. Of course some will not
agree to do it at all.
We are syncing the DNS records from the Samba AD DC to our central DNS
system. As the bind9_dlz module does not trigger AXFR/IXFR transfers on
changes we do a pull from the nameserver (refresh-time and retry-time).

This the relevant part of the config (not the full config):
192.168.0.1 is the nameserver for the whole company
192.168.0.2 is the AD DC for the Samba Domain (here example.internal)


On the AD DC in /etc/smb.conf
-----8<-----
[global]
...
	dns zone transfer clients allow = 192.168.0.1
----->8-----



On the AD DC in /etc/bind/named.conf.options
-----8<-----
options {
...
	forwarders {
		192.168.0.1;
	};
	dnssec-validation no;

        allow-transfer {
                192.168.0.1;
        };
};
----->8-----



On the NS in /etc/bind/named.conf.options
-----8<-----
options {
...
        allow-query {
                lan_addresses;
        };


        forwarders {
                8.8.8.8; # eg google
        };
};
----->8-----



On the NS in /etc/bind/named.conf.
-----8<-----
acl lan_addresses {
  192.168.0.0/24;
};

...
zone "example.internal" in {
  // do sync zone more often than specified in SOA
  max-refresh-time 60;
  min-refresh-time 30;
  max-retry-time 60;
  min-retry-time 30;

  type slave;
  masterfile-format text;
  notify no;
  masters { 192.168.0.2; };
  file "/etc/bind/slave/db.example.internal";

  allow-query { localhost; lan_addresses; };
};


zone "_msdcs.example.internal" in {
  // do sync zone more often than specified in SOA
  max-refresh-time 60;
  min-refresh-time 30;
  max-retry-time 60;
  min-retry-time 30;

  type slave;
  masterfile-format text;
  notify no;
  masters { 192.168.0.2; };
  file "/etc/bind/slave/db._msdcs.example.internal";

  allow-query { localhost; lan_addresses; };
};
----->8-----

More information about the samba mailing list