12032 – BIND DLZ with WINS Forwarding records in zone causes named to fail

Bug 12032 - BIND DLZ with WINS Forwarding records in zone causes named to fail

Summary: BIND DLZ with WINS Forwarding records in zone causes named to fail

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.4.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-24 03:41 UTC by Arcadiy Ivanov
Modified:	2020-12-22 08:21 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arcadiy Ivanov 2016-07-24 03:41:10 UTC

The original bug has been filed in Zentyal, but went dormant, closed and wasn't acted upon: https://tracker.zentyal.org/issues/1142

When using BIND DLZ (9.9 in my case on CentOS 7) on a Samba DC with Windows 2003 R2 PDC, the presence of WINS Forwarding (https://technet.microsoft.com/en-us/library/cc731480(v=ws.11).aspx) in a domain DNS zone will cause named to fail to start with the following messages:

Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has 0 SOA records
Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has no NS records
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: Failed to configure zone 'foo.bar'
Jul 23 23:03:30 dc1 named[10886]: loading configuration: bad zone
Jul 23 23:03:30 dc1 named[10886]: exiting (due to fatal error)


Specifically the entire failure log:

Jul 23 23:03:29 dc1 named[10886]: starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 -u named
Jul 23 23:03:29 dc1 named[10886]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Jul 23 23:03:29 dc1 named[10886]: ----------------------------------------------------
Jul 23 23:03:29 dc1 named[10886]: BIND 9 is maintained by Internet Systems Consortium,
Jul 23 23:03:29 dc1 named[10886]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jul 23 23:03:29 dc1 named[10886]: corporation.  Support and training for BIND 9 are
Jul 23 23:03:29 dc1 named[10886]: available at https://www.isc.org/support
Jul 23 23:03:29 dc1 named[10886]: ----------------------------------------------------
Jul 23 23:03:29 dc1 named[10886]: adjusted limit on open files from 4096 to 1048576
Jul 23 23:03:29 dc1 named[10886]: found 4 CPUs, using 4 worker threads
Jul 23 23:03:29 dc1 named[10886]: using 4 UDP listeners per interface
Jul 23 23:03:29 dc1 named[10886]: using up to 4096 sockets
Jul 23 23:03:29 dc1 named[10886]: loading configuration from '/etc/named.conf'
Jul 23 23:03:29 dc1 named[10886]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jul 23 23:03:29 dc1 named[10886]: using default UDP/IPv4 port range: [1024, 65535]
Jul 23 23:03:29 dc1 named[10886]: using default UDP/IPv6 port range: [1024, 65535]
Jul 23 23:03:29 dc1 named[10886]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 23 23:03:29 dc1 named[10886]: listening on IPv4 interface eno1, 192.168.1.41#53
Jul 23 23:03:29 dc1 named[10886]: listening on IPv6 interface lo, ::1#53
Jul 23 23:03:29 dc1 named[10886]: generating session key for dynamic DNS
Jul 23 23:03:29 dc1 named[10886]: sizing zone task pool based on 6 zones
Jul 23 23:03:29 dc1 named[10886]: Loading 'AD DNS Zone' using driver dlopen
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: started for DN DC=foo,DC=bar
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: starting configure
Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65282
Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65282
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa'
Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65281
Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65281
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: configured writeable zone '_msdcs.foo.bar'
Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65281
Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has 0 SOA records
Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has no NS records
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: Failed to configure zone 'foo.bar'
Jul 23 23:03:30 dc1 named[10886]: loading configuration: bad zone
Jul 23 23:03:30 dc1 named[10886]: exiting (due to fatal error)
Jul 23 23:03:30 dc1 named[10886]: samba_dlz: shutting down
Jul 23 23:03:30 dc1 systemd: named.service: control process exited, code=exited status=1
Jul 23 23:03:30 dc1 systemd: Failed to start Berkeley Internet Name Domain (DNS).

==============

Compare with successful named start once the WINS Forwarding was turned off on Windows PDC and the zone was replicated:

Jul 23 23:13:15 dc1 named[11029]: starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 -u named
Jul 23 23:13:15 dc1 named[11029]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Jul 23 23:13:15 dc1 named[11029]: ----------------------------------------------------
Jul 23 23:13:15 dc1 named[11029]: BIND 9 is maintained by Internet Systems Consortium,
Jul 23 23:13:15 dc1 named[11029]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jul 23 23:13:15 dc1 named[11029]: corporation.  Support and training for BIND 9 are
Jul 23 23:13:15 dc1 named[11029]: available at https://www.isc.org/support
Jul 23 23:13:15 dc1 named[11029]: ----------------------------------------------------
Jul 23 23:13:15 dc1 named[11029]: adjusted limit on open files from 4096 to 1048576
Jul 23 23:13:15 dc1 named[11029]: found 4 CPUs, using 4 worker threads
Jul 23 23:13:15 dc1 named[11029]: using 4 UDP listeners per interface
Jul 23 23:13:15 dc1 named[11029]: using up to 4096 sockets
Jul 23 23:13:15 dc1 named[11029]: loading configuration from '/etc/named.conf'
Jul 23 23:13:15 dc1 named[11029]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jul 23 23:13:15 dc1 named[11029]: using default UDP/IPv4 port range: [1024, 65535]
Jul 23 23:13:15 dc1 named[11029]: using default UDP/IPv6 port range: [1024, 65535]
Jul 23 23:13:15 dc1 named[11029]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 23 23:13:15 dc1 named[11029]: listening on IPv4 interface eno1, 192.168.1.41#53
Jul 23 23:13:15 dc1 named[11029]: listening on IPv6 interface lo, ::1#53
Jul 23 23:13:15 dc1 named[11029]: generating session key for dynamic DNS
Jul 23 23:13:15 dc1 named[11029]: sizing zone task pool based on 6 zones
Jul 23 23:13:15 dc1 named[11029]: Loading 'AD DNS Zone' using driver dlopen
Jul 23 23:13:16 dc1 named[11029]: samba_dlz: started for DN DC=foo,DC=bar
Jul 23 23:13:16 dc1 named[11029]: samba_dlz: starting configure
Jul 23 23:13:16 dc1 named[11029]: samba_dlz b9_format: unhandled record type 65282
Jul 23 23:13:16 dc1 named[11029]: samba_dlz b9_format: unhandled record type 65282
Jul 23 23:13:16 dc1 named[11029]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa'
Jul 23 23:13:16 dc1 named[11029]: samba_dlz: configured writeable zone '_msdcs.foo.bar'
Jul 23 23:13:16 dc1 named[11029]: samba_dlz: configured writeable zone 'foo.bar'
Jul 23 23:13:16 dc1 named[11029]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Jul 23 23:13:16 dc1 named[11029]: zone 'version.bind' allows updates by IP address, which is insecure
Jul 23 23:13:16 dc1 named[11029]: zone 'hostname.bind' allows updates by IP address, which is insecure
Jul 23 23:13:16 dc1 named[11029]: zone 'authors.bind' allows updates by IP address, which is insecure
Jul 23 23:13:16 dc1 named[11029]: zone 'id.server' allows updates by IP address, which is insecure
Jul 23 23:13:16 dc1 named[11029]: command channel listening on 127.0.0.1#953
Jul 23 23:13:16 dc1 named[11029]: command channel listening on ::1#953
Jul 23 23:13:16 dc1 named[11029]: managed-keys-zone: loaded serial 29
Jul 23 23:13:16 dc1 named[11029]: zone 0.in-addr.arpa/IN: loaded serial 0
Jul 23 23:13:16 dc1 named[11029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jul 23 23:13:16 dc1 named[11029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jul 23 23:13:16 dc1 named[11029]: zone localhost/IN: loaded serial 0
Jul 23 23:13:16 dc1 named[11029]: zone localhost.localdomain/IN: loaded serial 0
Jul 23 23:13:16 dc1 named[11029]: all zones loaded
Jul 23 23:13:16 dc1 named[11029]: running
Jul 23 23:13:16 dc1 systemd: Started Berkeley Internet Name Domain (DNS).

Comment 1 Rowland Penny 2020-12-21 22:07:02 UTC

This isn't a Samba bug, on the Microsoft page linked above it says this: 

Select the Do not replicate this record check box for this WINS record, if applicable.

If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records, select this check box. This prevents these records from being replicated to these other servers during zone transfers. If this zone will be used in performing zone transfers to BIND servers, this is a critical option because Berkeley Internet Name Domain (BIND) will not recognize WINS records.

It appears you cannot use the WINS records with Bind9

Comment 2 Rowland Penny 2020-12-22 08:13:17 UTC

Closing this, it isn't anything to do with Samba.

Comment 3 Andrew Bartlett 2020-12-22 08:21:58 UTC

It is important to note that Samba's replication is DRS replication, not zone transfers, so this option wouldn't have any impact.

I think the issue is:
Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has 0 SOA records
Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has no NS records

This special zone doesn't meet the needs of BIND9.