samba - Jan 2019 - Samba - Bind9 DNS - ISC-DHCP - obsolete DNS entries

Hi everyone,

I have setup a Samba domain with BIND9 dns backend.
Using ISC-DHCP-Server and procedure/script described in samba wiki I have
configured dynamic dns updates.
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

In my network I am using PXE to deploy new debian machines.
Booting a nfsroot and then using chroot to install my new system, for each
machine there are two dns entries
"dhcp-<pxe>-<device>-<ip>-<address>"
created,
both having their own IP (I assume one for nfsroot and one for chroot
environment).
Furthermore during the setup process I change the hostname and use
"dhclient -r && dhclient" to be able to resolve the hostname
correctly.
This is causing an additional dns entry for the correct hostname using the
same IP as my chroot environment.

After restarting my newly installed client this means I end up with three
dns entries for the same machine, one correct and two incorrect.
Even after a longer time schedule (I have waited up to 49 hours of the
client being turned off) the wrong dns entries do not disappear.

My question now is how can I make sure that the wrong dns entries are not
created / get updated correctly / disappear after a short amount of time?
I would like to end up with only one correct dns entry for one client (NIC).

Below you can find some details about the samba, bind9 & isc-dhcp versions
and configuration I use.
"location-000001.example.corp" is my samba, bind & dhcp server.
c9f2cbf9fc26c.example.corp is one client that I installed using PXE.
dhcp-192-168-33-26.example.corp was nfsroot dhcp assigned hostname of the
client and
dhcp-192-168-33-27.example.corp was chroot dhcp assigned hostname of the
client which changed during installation to c9f2cbf9fc26c.example.corp.

Thank you for any help / advice in advance :)
________________________________________________
*root at location-000001:~# samba -V*
*Version 4.5.12-Debian*
*root at location-000001:~# dhcpd -h*
*Internet Systems Consortium DHCP Server 4.3.5*
*Copyright 2004-2016 Internet Systems Consortium.*
*All rights reserved.*
*Unknown command -h*
*Usage: dhcpd [-p <UDP port #>] [-f] [-d] [-q] [-t|-T]*
*             [-4|-6] [-cf config-file] [-lf lease-file]*
*             [-user user] [-group group] [-chroot dir]*
*             [-tf trace-output-file]*
*             [-play trace-input-file]*
*             [-pf pid-file] [--no-pid] [-s server]*
*             [if0 [...ifN]]*

*If you think you have received this message due to a bug rather*
*than a configuration issue please read the section on submitting*
*bugs on either our web page at www.isc.org <http://www.isc.org> or in the
README file*
*before submitting a bug.  These pages explain the proper*
*process and the information we find helpful for debugging..*

*exiting.*
*root at location-000001:~# named -V*
*BIND 9.10.3-P4-Debian <id:ebd72b3>*
*built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--with-python=python3'
'--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared'
'--enable-static' '--with-gost=no' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no'
'--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa'
'--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'*
*compiled by GCC 6.3.0 20170516*
*compiled with OpenSSL version: OpenSSL 1.0.2l  25 May 2017*
*linked to OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018*
*compiled with libxml2 version: 2.9.4*
*linked to libxml2 version: 20904*
*root at location-000001:~# host -l example.corp*
*example.corp name server location-000001.example.corp.*
*example.corp has address 192.168.33.251*
*_msdcs.example.corp name server location-000001.example.corp.*
*c9f2cbf9fc26c.example.corp has address 192.168.33.27*
*ForestDnsZones.example.corp has address 192.168.33.251*
*DomainDnsZones.example.corp has address 192.168.33.251*
*location-000001.example.corp has address 192.168.33.251*
*dhcp-192-168-33-27.example.corp has address 192.168.33.27*
*dhcp-192-168-33-26.example.corp has address 192.168.33.26*
*root at location-000001:~# cat /etc/dhcp/dhcpd.conf*
*##configuration file for isc-dhcp-server*
*authoritative;*
*allow unknown-clients;*
*use-host-decl-names on;*
*default-lease-time 86400;*
*max-lease-time 86400;*
*log-facility local7;*
*subnet 192.168.33.0 netmask 255.255.255.0 {*
* next-server 192.168.33.251;*
* option domain-name "example.corp";*
* option domain-name-servers 192.168.33.251, 8.8.4.4;*
* option routers 192.168.33.1;*
* option subnet-mask 255.255.255.0 ;*
* range 192.168.33.26 192.168.33.229;*
*}*
*class "legacy" {*
* match if substring(option vendor-class-identifier, 0, 20)
"PXEClient:Arch:00000";*
* if exists user-class and option user-class = "iPXE" {filename
"/legacy_menu.ipxe";}*
* else {filename "/undionly.kpxe";}*
* option vendor-encapsulated-options "PXE boot";*
*}*
*on commit {*
* set noname = concat("dhcp-", binary-to-ascii(10, 8, "-",
leased-address));*
* set ClientIP = binary-to-ascii(10, 8, ".", leased-address);*
* set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);*
* set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name, noname);*
* log(concat("Commit: IP: ", ClientIP, " DHCID: ",
ClientDHCID, " Name: ",
ClientName));*
* execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP,
ClientDHCID,
ClientName);*
*}*
*on release {*
* set ClientIP = binary-to-ascii(10, 8, ".", leased-address);*
* set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);*
* log(concat("Release: IP: ", ClientIP));*
* execute("/usr/local/bin/dhcp-dyndns.sh", "delete",
ClientIP,
ClientDHCID);*
*}*
*on expiry {*
* set ClientIP = binary-to-ascii(10, 8, ".", leased-address);*
* log(concat("Expired: IP: ", ClientIP));*
* execute("/usr/local/bin/dhcp-dyndns.sh", "delete",
ClientIP, "", "0");*
*}*
*root at location-000001:~# cat /etc/bind/named.conf*
*// This is the primary configuration file for the BIND DNS server named.*
*//*
*// Please read /usr/share/doc/bind9/README.Debian.gz for information on
the *
*// structure of BIND configuration files in Debian, *BEFORE* you
customize *
*// this configuration file.*
*//*
*// If you are just adding zones, please do that in
/etc/bind/named.conf.local*

*include "/etc/bind/named.conf.options";*
*include "/etc/bind/named.conf.local";*
*include "/etc/bind/named.conf.default-zones";*
*root at location-000001:~# cat /etc/bind/named.conf.options *
*options {*
* tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";*
* allow-recursion { all-networks; 127.0.0.1/32 <http://127.0.0.1/32>; };*
* allow-query { all-networks; 127.0.0.1/32 <http://127.0.0.1/32>; };*
* empty-zones-enable no;*
* notify no;*
* listen-on port 53 { thisserverip; 127.0.0.1; };*
* forwarders { 8.8.4.4; };*
* version "0.0.7";*
* directory "/var/cache/bind";*

* // If there is a firewall between you and nameservers you want*
* // to talk to, you may need to fix the firewall to allow multiple*
* // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
<http://www.kb.cert.org/vuls/id/800113>*

* // If your ISP provided one or more IP addresses for stable *
* // nameservers, you probably want to use them as forwarders.  *
* // Uncomment the following block, and insert the addresses replacing *
* // the all-0's placeholder.*

* // forwarders {*
* // 0.0.0.0;*
* // };*

*
//========================================================================*
* // If BIND logs error messages about the root key being expired,*
* // you will need to update your keys.  See https://www.isc.org/bind-keys
<https://www.isc.org/bind-keys>*
*
//========================================================================*
* dnssec-validation no;*

* auth-nxdomain yes; # conform to RFC1035=no but we are the Authoritive
server*
* listen-on-v6 { none; };*
*};*

*acl thisserverip {*
* 192.168.33.251; *
*};*
*acl all-networks {*
* 192.168.33.0/24 <http://192.168.33.0/24>; *
*};*
*include "/etc/bind/rndc.key";*
*controls {*
* inet 127.0.0.1 allow { localhost; } keys { rndc-key;};*
*};*
*root at location-000001:~# cat /etc/bind/named.conf.local*
*//*
*// Do any local configuration here*
*//*

*// Consider adding the 1918 zones here, if they are not used in your*
*// organization*
*//include "/etc/bind/zones.rfc1918";*

*include "/var/lib/samba/private/named.conf"; *
*root at location-000001:~# cat /var/lib/samba/private/named.conf*
*# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
support.*
*#*
*# This file should be included in your main BIND configuration file*
*#*
*# For example with*
*# include "/var/lib/samba/private/named.conf";*

*#*
*# This configures dynamically loadable zones (DLZ) from AD schema*
*# Uncomment only single database line, depending on your BIND version*
*#*
*dlz "AD DNS Zone" {*
*    # For BIND 9.8.x*
*    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";*

*    # For BIND 9.9.x*
*    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";*

*    # For BIND 9.10.x*
*     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";*

*    # For BIND 9.11.x*
*    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";*
*};*

*root at location-000001:~# cat /etc/bind/named.conf.default-zones*
*// prime the server with knowledge of the root servers*
*zone "." {*
* type hint;*
* file "/etc/bind/db.root";*
*};*

*// be authoritative for the localhost forward and reverse zones, and for*
*// broadcast zones as per RFC 1912*

*zone "localhost" {*
* type master;*
* file "/etc/bind/db.local";*
*};*

*zone "127.in-addr.arpa" {*
* type master;*
* file "/etc/bind/db.127";*
*};*

*zone "0.in-addr.arpa" {*
* type master;*
* file "/etc/bind/db.0";*
*};*

*zone "255.in-addr.arpa" {*
* type master;*
* file "/etc/bind/db.255";*
*};*


*root at location-000001:~# *

On Wed, 2 Jan 2019 12:16:47 +0100
Martin Krämer via samba <samba at lists.samba.org> wrote:
> Hi everyone,
> 
> I have setup a Samba domain with BIND9 dns backend.
> Using ISC-DHCP-Server and procedure/script described in samba wiki I
> have configured dynamic dns updates.
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> 
> In my network I am using PXE to deploy new debian machines.
> Booting a nfsroot and then using chroot to install my new system, for
> each machine there are two dns entries
> "dhcp-<pxe>-<device>-<ip>-<address>"
created,
> both having their own IP (I assume one for nfsroot and one for chroot
> environment).
> Furthermore during the setup process I change the hostname and use
> "dhclient -r && dhclient" to be able to resolve the
hostname
> correctly. This is causing an additional dns entry for the correct
> hostname using the same IP as my chroot environment.
> 
> After restarting my newly installed client this means I end up with
> three dns entries for the same machine, one correct and two incorrect.
> Even after a longer time schedule (I have waited up to 49 hours of the
> client being turned off) the wrong dns entries do not disappear.
> 
> My question now is how can I make sure that the wrong dns entries are
> not created / get updated correctly / disappear after a short amount
> of time? I would like to end up with only one correct dns entry for
> one client (NIC).
> 
This is something I never considered when I wrote the DHCP update
script (mainly because I do not use PXE), but it is a just a
bash script :-)

I think you will need to extend the script to check for the unwanted
dns entries and then delete them with nsupdate, failing this, use
another script to delete the unwanted entries at first boot.

Rowland

Hi,

thanks for reply.
Having the information that this is no situation considered yet is already
helpfull - telling me that I have not missed / missconfigured something. :)

I think the better solution for me is to not even create the unwanted
entries.
Filtering for "automatic" dhcp created hostnames (matching
'^dhcp-.*$') to
not be added into DNS should to the trick for me here.

Never the less do I understand correctly that there is no automation (not
even BIND9 out of the box) to delete aged/obsolete dns entries
automatically?

Kind Regards

Martin

On Wed, Jan 2, 2019, 12:53 Rowland Penny via samba <samba at lists.samba.org
wrote:
> On Wed, 2 Jan 2019 12:16:47 +0100
> Martin Krämer via samba <samba at lists.samba.org> wrote:
>
> > Hi everyone,
> >
> > I have setup a Samba domain with BIND9 dns backend.
> > Using ISC-DHCP-Server and procedure/script described in samba wiki I
> > have configured dynamic dns updates.
> >
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> >
> > In my network I am using PXE to deploy new debian machines.
> > Booting a nfsroot and then using chroot to install my new system, for
> > each machine there are two dns entries
> > "dhcp-<pxe>-<device>-<ip>-<address>"
created,
> > both having their own IP (I assume one for nfsroot and one for chroot
> > environment).
> > Furthermore during the setup process I change the hostname and use
> > "dhclient -r && dhclient" to be able to resolve the
hostname
> > correctly. This is causing an additional dns entry for the correct
> > hostname using the same IP as my chroot environment.
> >
> > After restarting my newly installed client this means I end up with
> > three dns entries for the same machine, one correct and two incorrect.
> > Even after a longer time schedule (I have waited up to 49 hours of the
> > client being turned off) the wrong dns entries do not disappear.
> >
> > My question now is how can I make sure that the wrong dns entries are
> > not created / get updated correctly / disappear after a short amount
> > of time? I would like to end up with only one correct dns entry for
> > one client (NIC).
> >
>
> This is something I never considered when I wrote the DHCP update
> script (mainly because I do not use PXE), but it is a just a
> bash script :-)
>
> I think you will need to extend the script to check for the unwanted
> dns entries and then delete them with nsupdate, failing this, use
> another script to delete the unwanted entries at first boot.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba