samba domain controller with internal dns backend returns NXDOMAIN for empty nonterminals. This breaks resolvers with qname minimisation (RFC 7816) enabled (such as unbound) because they will not attempt to resolve label below such domain name. Example: _kerberos._tcp.realm.name SRV The resolver will send _tcp.realm.name, get back NXDOMAIN, and will not attempt to resolve the _kerberos._tcp.realm.name domain name. Turning off qname minimisation will resolve this issue but is only a workaround. RFC 2136 seems to specify that empty nonterminals should return NOERROR and that's what the resolvers expect. Originaly reported in Debian: https://bugs.debian.org/920755 by Martin Kraus
Tentative patch (not tested): diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c index cc24a6c1b52..df4b50f2639 100644 --- a/source4/dns_server/dnsserver_common.c +++ b/source4/dns_server/dnsserver_common.c @@ -48,7 +48,7 @@ uint8_t werr_to_dns_err(WERROR werr) } else if (W_ERROR_EQUAL(DNS_ERR(NAME_ERROR), werr)) { return DNS_RCODE_NXDOMAIN; } else if (W_ERROR_EQUAL(WERR_DNS_ERROR_NAME_DOES_NOT_EXIST, werr)) { - return DNS_RCODE_NXDOMAIN; + return DNS_RCODE_OK; } else if (W_ERROR_EQUAL(DNS_ERR(NOT_IMPLEMENTED), werr)) { return DNS_RCODE_NOTIMP; } else if (W_ERROR_EQUAL(DNS_ERR(REFUSED), werr)) {