Hi. There is an issue with adding DNS TXT RRs to bind with samba dlz backend (wich I really need to serve WPAD, dhcpd updates (using "execute" statement) and others) - after adding TXT record to a dlz zone, all records associated with fqdn of the txt record becomes unavailable. I can see this added record via ldapsearch, but queries to this record end with "not found" until I delete TXT dnsRecord attribute via ldap or delete whole ldap record. Other records in this zone works fine, but I can not edit this zone via MS dns tool (it can not load this zone) until I remove txt record from ldap. This bug is one of the main things that stop me from migrating s3 domain (containing hundreds of users) to s4, of course I could use plain files for dns, but replicating ldap base looks much more attractive. Steps to reproduce: 1. Create A and TXT record via nsupdate or MS dns tool # echo -en 'server pdc\nupdate add s4lin2.telros.lan. 3600 A 192.168.102.100\nupdate add s4lin2.telros.lan. 3600 TXT testrecord\nshow\nsend\n' | nsupdate -g Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: s4lin2.telros.lan. 3600 IN A 192.168.102.100 s4lin2.telros.lan. 3600 IN TXT "testrecord" 2. Try to resolve it or any other existent record in this zone # host s4lin2.telros.lan Host s4lin.telros.lan not found: 3(NXDOMAIN) # host -t txt s4lin2.telros.lan Host s4lin.telros.lan not found: 3(NXDOMAIN) # grep -B1 fail /var/log/named/debug.log 25-Feb-2012 22:47:14.106 queries: client 192.168.102.10#38266: query: s4lin2.telros.lan IN TXT + (192.168.101.10) 25-Feb-2012 22:47:14.109 database: samba_dlz: failed to parse dnsRecord for DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan 3. See it in the ldap database: # ldapsearch -LLL -b "DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,dc=domaindnszones,dc=telros,dc=lan" SASL/GSSAPI authentication started SASL username: administrator@TELROS.LAN SASL SSF: 56 SASL data security layer installed. dn: DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20120225193452.0Z uSNCreated: 10813 showInAdvancedViewOnly: TRUE name: s4lin2 objectGUID:: SUw7T0MpLk+lrLv5KHa2hQ== objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=telros,DC=lan dc: s4lin2 dnsRecord:: BAABAAXwAAAwAAAAAAAAAAAAAABr/jYAwKhmZA== dnsRecord:: DQAQAAXwAAAwAAAAAAAOEAAAAABr/jYADSJ0ZXN0cmVjb3JkIg== whenChanged: 20120225194027.0Z uSNChanged: 10821 distinguishedName: DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,D C=telros,DC=lan 4. Remove it via ldap: # ldapdelete "DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,dc=domaindnszones,dc=telros,dc=lan" SASL/GSSAPI authentication started SASL username: administrator@TELROS.LAN SASL SSF: 56 SASL data security layer installed. 5. Add A record and try to resolve it again # echo -en 'server pdc\nupdate add s4lin2.telros.lan. 3600 A 192.168.102.100\nsend\n' | nsupdate -g # host s4lin2.telros.lan s4lin2.telros.lan has address 192.168.102.100 Also, I seem another little bug/feature: if ldap dns record contains no dnsRecord attribute (it is not normal, but...) nsupdate of this fqdn will always end with SERVFAIL, here is bind logs: 26-Feb-2012 00:11:30.959 database: samba_dlz: no dnsRecord attribute for DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan 26-Feb-2012 00:11:30.959 database: samba_dlz: cancelling transaction on zone telros.lan # samba --version Version 4.0.0alpha19-GIT-66f13ea
There are two issues: 1. Handling of DNS records without dnsRecord attributes This has been fixed now. 2. Handling of TXT rdata Currently this is broken. I am working on a fix for TXT records. Amitay.
The fixes to TXT record handling are available in dns-wip branch of my git tree. git://git.samba.org/amitay/samba.git Can you check if that fixes the issues for TXT records? Amitay.
Tried dns-wip branch: 1. Editing RRs without dnsReord attribute via nsupdate stil doesn't work (tried master and dns-wip branch) 28-Feb-2012 14:55:41.035 database: samba_dlz: starting transaction on zone telros.lan 28-Feb-2012 14:55:41.038 database: samba_dlz: allowing update of signer=administrator\@TELROS.LAN name=s4lin2.telros.lan tcpaddr=192.168.102.10 type=A key=967741016.sig-pdc.telros.lan/160/0 28-Feb-2012 14:55:41.039 update: client 192.168.102.10#43946: updating zone 'telros.lan/NONE': adding an RR at 's4lin2.telros.lan' A 28-Feb-2012 14:55:41.042 database: samba_dlz: no dnsRecord attribute for DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan 28-Feb-2012 14:55:41.042 database: samba_dlz: cancelling transaction on zone telros.lan 2.MS DNS tool seems to work fine with TXT RRS now, I can add and delete records and they are resolved correctly. But nsupdate doesn't seem to work with TXT RRs: # echo -en 'server pdc\nupdate add s4lin2.telros.lan. 3600 A 192.168.102.100\nupdate add s4lin2.telros.lan. 3600 TXT sometext123\nsend\n' | nsupdate -g # ldapsearch -LLL -b "DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,dc=domaindnszones,dc=telros,dc=lan" SASL/GSSAPI authentication started SASL username: administrator@TELROS.LAN SASL SSF: 56 SASL data security layer installed. dn: DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20120228104828.0Z whenChanged: 20120228104828.0Z uSNCreated: 11831 showInAdvancedViewOnly: TRUE name: s4lin2 objectGUID:: W7so+/3qA0G6KGMnAEOKuA== objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=telros,DC=lan dc: s4lin2 dnsRecord:: BAABAAXwAABQAAAAAAAOEAAAAACq/jYAwKhmZA== dnsRecord:: DgAQAAXwAABQAAAAAAAOEAAAAACq/jYADiJzb21ldGV4dDEyMyI= uSNChanged: 11832 distinguishedName: DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,D C=telros,DC=lan # host -ttxt s4lin2 Host s4lin2 not found: 3(NXDOMAIN) Bind logs: 28-Feb-2012 14:43:00.936 queries: client 192.168.102.10#37955: query: s4lin2.telros.lan IN TXT + (192.168.101.10) 28-Feb-2012 14:43:00.939 database: samba_dlz: failed to parse dnsRecord for DC=s4lin2,DC=telros.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan And now I can not edit zone via MS tool, until I delete TXT record through ldap. ### Additionaly, I have issues with deleting A, TXT, PTR (may be others) records with nsupdate (by administrator), should I post it here or fill another bug or samba-technical mail list?
Looks like you have not restarted named and/or named is still using older dlz_bind9 module. Can you confirm that? If you have created any TXT records using earlier code, those would be stored incorrectly in the database, so those will have to be deleted manually and re-created. You can use ldbsearch instead of ldapsearch as it can interpret dnsRecord attributes with --show-binary option. If ldbsearch (with --show-binary) is able to correctly decode the dnsRecord attributes with TXT record, then named should be able to handle it and you can update it. What is the issue with deleting A, TXT, PTR records via nsupdate? Can you post the nsupdate commands and the named log?
(In reply to comment #4) > Looks like you have not restarted named and/or named is still using older > dlz_bind9 module. Can you confirm that? Sorry, I just forgot to restart bind :) Seems that adding/deleting/resolving txt records with nsupdate works fine now, I tested it with my shell-script (based on solution found in the net) for gssapi dhcpd-ddns-updates, it uses DHCID and works the way similar to rfc4701. If someone needs it I can post it. > You can use ldbsearch instead of ldapsearch as it can interpret dnsRecord > attributes with --show-binary option. If ldbsearch (with --show-binary) is able > to correctly decode the dnsRecord attributes with TXT record, then named should > be able to handle it and you can update it. Thanks for info. > What is the issue with deleting A, TXT, PTR records via nsupdate? > Can you post the nsupdate commands and the named log? Deleting A,TXT records seems to work fine after restart, but I can not delete any PTR record, here what I can see in the logs: 28-Feb-2012 17:20:56.622 database: samba_dlz: starting transaction on zone 102.168.192.in-addr.arpa 28-Feb-2012 17:20:56.625 database: samba_dlz: allowing update of signer=administrator\@TELROS.LAN name=100.102.168.192.in-addr.arpa tcpaddr=192.168.102.10 type=PTR key=1803076133.sig-pdc.telros.lan/160/0 28-Feb-2012 17:20:56.626 update: client 192.168.102.10#35367: updating zone '102.168.192.in-addr.arpa/NONE': deleting rrset at '100.102.168.192.in-addr.arpa' PTR 28-Feb-2012 17:20:56.628 database: samba_dlz: cancelling transaction on zone 102.168.192.in-addr.arpa No reason, just cancelling... Maybe I can debug it some other way?
Can you use samba-tool dns command to delete PTR record? samba-tool dns delete s4lin2 102.168.192.in-addr.arpa 100 PTR <host.telros.lan> -U administrator%<password> Also, can you list the reverse zone records with samba-tool. samba-tool dns query s4lin2 102.168.192.in-addr.arpa @ ALL -U ..... To debug why BIND refuses to delete particular record, you can dump the record using ldbsearch (with --show-binary). That might give some clues.
Created attachment 7351 [details] ldbsearch results (In reply to comment #6) > Can you use samba-tool dns command to delete PTR record? > Yes. > Also, can you list the reverse zone records with samba-tool. > # samba-tool dns query pdc 102.168.192.in-addr.arpa @ ALL Name=, Records=2, Children=0 NS: pdc.telros.lan. (flags=600000f0, serial=1, ttl=0) SOA: serial=48, refresh=900, retry=600, expire=86400, ns=pdc.telros.lan., email=hostmaster.telros.lan. (flags=600000f0, serial=48, ttl=3600) Name=10, Records=1, Children=0 PTR: s4dc2.telros.lan (flags=f0, serial=2, ttl=0) Name=100, Records=1, Children=0 PTR: s4lin2.telros.lan (flags=f0, serial=48, ttl=0) Name=101, Records=1, Children=0 PTR: s4wxp.telros.lan (flags=f0, serial=98, ttl=1200) Name=20, Records=1, Children=0 PTR: s4wxp.telros.lan (flags=f0, serial=18, ttl=1200) Name=40, Records=1, Children=0 PTR: S4W2K8.telros.lan (flags=f0, serial=17, ttl=1200) Name=50, Records=1, Children=0 PTR: s4lin.telros.lan (flags=f0, serial=5, ttl=0) > > To debug why BIND refuses to delete particular record, you can dump the record > using ldbsearch (with --show-binary). That might give some clues. # ldbsearch -H /usr/local/samba/private/dns/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=TELROS\,DC\=LAN.ldb --show-binary -b DC=100,DC=102.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=telros,DC=lan is in attachment
Now you should be able to add/delete TXT/PTR records via nsupdate. The modified code is in my dns-wip branch. It should be in master soon.
(In reply to comment #8) > Now you should be able to add/delete TXT/PTR records via nsupdate. The modified > code is in my dns-wip branch. It should be in master soon. Yes, now it's working. Waiting for it to be in the master. Thanks. But I found another issue :) It's about NS records. I can't add NS records with samba-tool or MS DNS tool, while I can do it via nsupdate. Using your dns-wip branch. # host -tns telros.lan telros.lan name server pdc.telros.lan. telros.lan name server s4dc2.telros.lan. # samba-tool dns add pdc telros.lan @ NS s4w2k82.telros.lan ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 162, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 1057, in run None) #### Well, I'd like to take this opportunity to ask you two questions here: Are there any news about dns partitions replication between s4 DCs? (https://lists.samba.org/archive/samba-technical/2012-February/081857.html) And about bind: what is about dns-notifying with bind's dlz backend? Seems that bind can't do this, but may be there is some hook, which I can use to send notifies by a script.
That was a pretty stupid bug. It's fixed now in my tree. Should be in master soon. Thanks for pointing out various issues/bugs with DNS code in samba. As for the other questions: Currently DNS partitions do get replicated between S4 DCs. The problem is setting up the correct attributes for the partitions. I haven't had time to look to figure out whether it's an issue of replication or something else. Dynamically Loadable Zones (DLZ) do not have any provision to trigger NOTIFY event from named. Unless named does that automatically if there are slaves configured. If you have a slave dns server you can test to see if you get any NOTIFY messages. Otherwise I guess NOTIFY will have to wait till DLZ can support it. I guess once the replication issue has been sorted out, you don't really need NOTIFY since you can configure multiple BIND with DLZ.
(In reply to comment #10) > That was a pretty stupid bug. It's fixed now in my tree. Should be in master > soon. > Yeah, now it works. > > As for the other questions: > > Currently DNS partitions do get replicated between S4 DCs. The problem is > setting up the correct attributes for the partitions. I haven't had time to > look to figure out whether it's an issue of replication or something else. > I have just reinstalled s4 on both controlles. Removed all data from private dir of the second controller and rejoined it. I can not see domian/forestdnszones in the ldap database of the second controller, and there is no "dns" directory and named.conf in the private dir. Maybe I should change some attributes on my first controller? My first controllers data is result of migrating from s3 (snapshot from master, about 3 weeks age). > Dynamically Loadable Zones (DLZ) do not have any provision to trigger NOTIFY > event from named. Unless named does that automatically if there are slaves > configured. If you have a slave dns server you can test to see if you get any > NOTIFY messages. Otherwise I guess NOTIFY will have to wait till DLZ can > support it. No, I can't see NOTIFY messages. > > I guess once the replication issue has been sorted out, you don't really need > NOTIFY since you can configure multiple BIND with DLZ. My DCs will be located in different offices, so I want to have slave bind in every office. Is it possible to use bind dlz backend without installing full DC (use only replicating dns partitions)? If no, then it would be really nice to implement something like http://thewalter.net/stef/software/slapi-dnsnotify/ for samba4, is there any hope it'l be implemented ever? If no, then I could use notify-dns-slaves with cron solution like http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html (it's ugly, but seems to work and is better than blindly transfering zones every n minutes).
Should be fixed as well as far as I understand.