bind 9.11.3 BIND9_FLATFILE update-policy

Wed Oct 10 11:38:49 UTC 2018

---
Best regards,
Sergey Urushkin

Andrew Bartlett писал 2018-10-10 13:04:
> On Wed, 2018-10-10 at 10:49 +0100, Rowland Penny via samba-technical
> wrote:
>> On Wed, 10 Oct 2018 12:40:03 +0300
>> Sergey Urushkin via samba-technical <samba-technical at lists.samba.org>
>> wrote:
>> 
>> > Attached.
>> >
>> > ---
>> > Best regards,
>> > Sergey Urushkin
>> >
>> >
>> > Andrew Bartlett писал 2018-10-10 08:13:
>> > > On Fri, 2018-09-28 at 13:16 +0300, Sergey Urushkin via
>> > > samba-technical wrote:
>> > > > Andrew Bartlett писал 2018-09-20 18:26:
>> > > > > On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via
>> > > > > samba-technical wrote:
>> > > > > > Hello.
>> > > > > >
>> > > > > > Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
>> > > > > > prevents
>> > > > > > bind to start with samba's update-policy config file included
>> > > > > > (BIND9_FLATFILE backend):
>> > > > > >
>> > > > > > https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
>> > > > > > 22aca0ba6eacf8ca9275
>> > > > > >
>> > > > > > Error text:
>> > > > > > named.conf.update:3: name field not set to placeholder value
>> > > > > > '.'
>> > > > > >
>> > > > > > This already was in the mail list:
>> > > > > > https://lists.samba.org/archive/samba/2018-March/214738.html
>> > > > > >
>> > > > > > This could be fixed by making a fixed copy of the config and
>> > > > > > including
>> > > > > > it to BIND instead of the original:
>> > > > > > sed 's/ms-self \* /ms-self . /' named.conf.update >
>> > > > > > named.conf.update.static
>> > > > > >
>> > > > > > The next patch fixes config generation for 9.11.3 and above:
>> > > > > > --- a/source4/dsdb/dns/dns_update.c	2018-07-12
>> > > > > > 11:23:36.000000000 +0300
>> > > > > > +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
>> > > > > > 16:16:32.330242337 +0300
>> > > > > > @@ -242,7 +242,7 @@
>> > > > > >   		dprintf(fd, "%s\n",static_policies);
>> > > > > >   		dprintf(fd, "/* End of static entries */\n");
>> > > > > >   	}
>> > > > > > -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
>> > > > > > +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
>> > > > > >   	dprintf(fd, "\tgrant Administrator@%s wildcard * A
>> > > > > > AAAA SRV CNAME;\n",
>> > > > > > realm);
>> > > > > >
>> > > > > >   	for (i=0; i<dc_count; i++) {
>> > > > > >
>> > > > > > But this may not work with the older versions (not tested!).
>> > > > > > If so, we
>> > > > > > should check the installed bind version on the samba start
>> > > > > > while generating the config (named -V) or get the right value
>> > > > > > (* or .) from
>> > > > > > some another place (config file).
>> > > > > > Another approach: since the config is pretty much static (at
>> > > > > > least with
>> > > > > > the current single-realm samba and it also doesn't honor real
>> > > > > > 'Administrator' account name and even more widely - every
>> > > > > > dns-administrator name), generate it on the provision
>> > > > > > (python/samba/provision/sambadns.py) like we do for
>> > > > > > named.conf.dlz and
>> > > > > > just leave it as is with comments about BIND versions.
>> > > > >
>> > > > > At this stage my preference would have been to remove the
>> > > > > 'feature' entirely, given the limitations.  It causes a job to
>> > > > > run frequently to fill in the file and trigger rndc reload even
>> > > > > when Samba isn't using this, and this *may* be the cause of a
>> > > > > crash or service outage on the bind size.  (Not yet pinned down).
>> > > > >
>> > > > > We would prefer folks used the DLZ driver or the internal DNS,
>> > > > > as these work with Microsoft and Samba admin tools etc.  I don't
>> > > > > mind us generating the zone long-term but I think the rest is
>> > > > > always going to be so site-specific anyway.
>> > > > >
>> > > > > What do you think?
>> > > > >
>> > > > > Andrew Bartlett
>> > > >
>> > > > Agreed.
>> > > > Here is the patch that adds generating update-policy at provision.
>> > > > The second part should be removing named.conf.update code from
>> > > > /source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm
>> > > > not a
>> > > > C specialist.
>> > >
>> > > Can you make a full git commit with the signed-off-by and send in
>> > > your DCO?  Sorry for the fuss, the details are in the contributing
>> > > page in the wiki.
>> > >
>> > > Thanks,
>> > >
>> > > Andrew Bartlett
>> 
>> Sorry, but there is a line over 80 characters.
>> 
>> Also shouldn't we be removing flat files ?
> 
> Sergey,
> 
> Can you fill us in on your use case here?

Actually, this is just history. When we were migrating from samba3 NT 
domain (that was 4.0 alfa-beta times) DLZ backend was buggy, didn't work 
with bind views, didn't support zone types mixing (plain+dlz), dhcp-dns 
updates (that's what left in my memory, I could be wrong). Every of 
these problems could be solved in some way, but this required additional 
configuring, migration and risks, so we decided to do this later. Now 
all that problems seems to be solved and dlz is really stable, so I 
don't see any reason for not using DLZ/INTERNAL for new installations. 
But since we still don't need features of DLZ, we are still PLAIN, 
that's why I'm voting for supporting this feature :).
May be someone has a configured/patched bind version, so that dlz breaks 
it, but I haven't met such. If someone has plain backend he knows what 
he is doing (and can fix config files), so all we need to support this 
backend without auto-breaking it in the future - is removing 
dns_update.c code. And for new installations we could describe this 
backend as DEPRECATED in docs/tools.

Fixed patch attached.

> 
>> If they work just like BIND9_DLZ, why was BIND9_DLZ written ??
> 
> It certainly isn't nearly as good as the BIND9_DLZ, for example it
> isn't replicated over DRS (but zone transfers would work) and ACLs are
> not the same.
> 
> I see some value in still having Samba template out the flat file, but
> can't really justify the untested code here against my normal policy of
> reducing our supported options and combinations.
> 
> Thanks,
> 
> Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-provision-create-valid-named.conf.update-for-BIND9_F.patch
Type: text/x-diff
Size: 5130 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181010/760df04a/0001-provision-create-valid-named.conf.update-for-BIND9_F-0001.diff>