Bug 12451 - We set dwTimeStamp value of dnsRecord attributes is updated incorrectly
Summary: We set dwTimeStamp value of dnsRecord attributes is updated incorrectly
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.5.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-11-25 15:13 UTC by Stefan Metzmacher
Modified: 2021-12-03 00:08 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-11-25 15:13:06 UTC
Currently we mark dynamic dns updates as 'static' and rpc updates dynamic.
Comment 1 Louis 2019-05-03 06:51:17 UTC
Hai, the texts on the site : https://wiki.samba.org/index.php/Samba_4.9_Features_added/changed 

Suggests that this bug exists in older version, which suggests if fixed in newer samba version but its unclear if this is fixed or not since the bug report is still open. 

A small update is very appriciated?
Comment 2 Louis 2019-05-06 08:49:42 UTC
this bug is related to : 


due to these mismatches, DDNS updates might go wrong.
Comment 3 Stefan Metzmacher 2019-07-31 08:00:22 UTC
This got fixed as part of bug #10812 for 4.9.0
Comment 4 Alex MacCuish 2019-07-31 16:54:29 UTC
Is there a dbcheck for this yet? On my installation I'm still seeing some static updates marked as dynamic and some dynamic ones as static.
Comment 5 Stefan Metzmacher 2019-08-01 12:52:20 UTC
(In reply to Alex MacCuish from comment #4)

No not yet, that's the hard part :-(

It's not clear how dbcheck could detect records which should
be cleaned up.

One idea would be looking at the owner in the ntSecurityDescriptor
and if it's related to a computer account we could fix the
timestamp to the value of the dnsRecord stamp in replPropertyMetaData.
Comment 6 Stefan Metzmacher 2019-08-01 12:53:40 UTC
(In reply to Stefan Metzmacher from comment #5)

And all records not owned by a computer are static.
Comment 7 Stefan Metzmacher 2019-08-01 12:55:56 UTC
I'm reopening this for the missing dbcheck addition.
Comment 8 Alex MacCuish 2019-08-01 13:07:48 UTC
(In reply to Stefan Metzmacher from comment #5)

My main use will be for Apple devices joined to AD. They have an annoying habit of never deleting their IPv6 addresses (they frequently create new ones, privacy extensions etc), so some of my machines end up having hundreds of AAAA records.

Just checking through the ACLs on my DNS records, your idea of checking to see if the owner sid is a computer account looks pretty reasonable. Either that, or a command for samba-tool dns to allow an admin to manually correct the records :)

The only question is the DC SRV records. Are these meant to be static or dyanmic? They seem to be owned by "SYSTEM" but I have a mix of dynamic and static there, a newly promoted DC has set it's records as static, but other DCs have timestamps.
Comment 9 Stefan Metzmacher 2019-08-01 13:17:38 UTC
(In reply to Alex MacCuish from comment #8)

I think records owned by SYSTEM should be static, but we'd need to check
in a Windows domain.
Comment 10 Andrew Bartlett 2021-03-02 22:19:28 UTC
(In reply to Stefan Metzmacher from comment #9)
Even if not in windows, I think it might get us out of the pickle.
Comment 11 Douglas Bagnall 2021-03-03 01:24:00 UTC
metze, I want to fix this.

Do you have work in progress that I should be aware of?
Comment 12 SATOH Fumiyasu 2021-12-02 00:09:53 UTC
Can we fix this problem with `samba-tool dns zoneoptions --mark-old-records-static=...` introduced at Samba 4.15.0?
Comment 13 Douglas Bagnall 2021-12-03 00:08:23 UTC
(In reply to SATOH Fumiyasu from comment #12)
> Can we fix this problem with `samba-tool dns zoneoptions --mark-old-records-static=...` introduced at Samba 4.15.0?

Yes, or at least, almost.

That option (and --mark-records-dynamic-regex, --mark-records-static-regex) should work to fix up any existing domains, but it won't automatically fix damaged domains, as the hypothetical dbcheck rule would.

The most likely outcome for this bug report is it will linger for a few years before being closed as WONTFIX.