samba - Jan 2019 - Odd behavior with "allow dns updates" (+dhcp_dyndns.sh)

All,

I'm hoping somebody could help explain this:  with the Wiki dhcp_dyndns.sh
script and "allow dns updates = secure and nonsecure", I have the
following
log snippet for a  single machine:

Jan 22 13:37:35 DC1 dhcpd: Commit: IP: 172.250.250.19
DHCID:
> 1:be:a9:c5:4f:5f:cd Name: SERVER
> <stuff>
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 dhcpd: Sending update to 127.0.0.1#53
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=dhcpduser\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr=127.0.0.1
> type=A key=4007768441.sig-DC1.SAMDOM.biz/160/0
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=dhcpduser\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr=127.0.0.1
> type=A key=4007768441.sig-DC1.SAMDOM.biz/160/0
> Jan 22 13:37:35 DC1 named[20138]: client 127.0.0.1#35779/key dhcpduser\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': deleting rrset at
'
> SERVER.SAMDOM.biz' A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0111200#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: client 127.0.0.1#35779/key dhcpduser\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': adding an RR at '
> SERVER.SAMDOM.biz' A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0113600#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SAMDOM.biz 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
> hostmaster.SAMDOM.biz. 110321 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset SAMDOM.biz
> 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
hostmaster.SAMDOM.biz.
> 110322 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: committed transaction on zone
> SAMDOM.biz
> <more stuff>
> Jan 22 13:37:35 DC1 dhcpd: DHCP-DNS Update succeeded
> Jan 22 13:37:35 DC1 dhcpd: DHCPREQUEST for 172.250.250.19 from
> be:a9:c5:4f:5f:cd via enp1s0
> Jan 22 13:37:35 DC1 dhcpd: DHCPACK on 172.250.250.19 to be:a9:c5:4f:5f:cd
> via enp1s0
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: client 172.250.250.19#62633: update
> 'SAMDOM.biz/IN' denied
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=SERVER\$\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr= type=A
> key=1228-ms-7.6-670dfe0.7abd8ab6-1d92-11e9-0081-bea9c54f5fcd/160/0
> Jan 22 13:37:35 DC1 named[20138]: client 172.250.250.19#57017/key
> SERVER\$\@SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': deleting an
RR at
> SERVER.SAMDOM.biz A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0113600#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SAMDOM.biz 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
> hostmaster.SAMDOM.biz. 110322 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset SAMDOM.biz
> 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
hostmaster.SAMDOM.biz.
> 1103250 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: committed transaction on zone
> SAMDOM.biz
>From what I can tell, the DHCP update script is running successfully and
then the client is attempting to update its own DNS immediately
afterwards.

However, it is denied once, but allowed the 2nd time, after which it
deletes the A record and the SOA record, but only adds back the SOA record.

Looking at successful client-driven updates, they all are initially denied
but are allowed on the 2nd transactions, similar to above.  Does anybody
have any ideas why it would behave like this?  (/etc/named.conf included at
bottom)

For the time being, I've set "allow dns updates = none", and the
same
client hasn't tried to update itself.  Successful "disallows" or
refusals
look like this:

Jan 23 01:27:39 DC1 named[16390]: samba_dlz: starting transaction on
zone
> SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: client 172.250.30.9#51801: update
> 'SAMDOM.biz/IN' denied
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: disallowing update of
> signer=SERVER2\$\@SAMDOM.BIZ name=SERVER2.SAMDOM.biz type=AAAA
> error=insufficient access rights
> Jan 23 01:27:39 DC1 named[16390]: client 172.250.30.9#52948/key SERVER2\$\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': update failed:
rejected by
> secure update (REFUSED)
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz

2nd Question:  What do you all generally see as the OWNER of a host's A
record (from Windows)?  I've seen a mix of $Client, SYSTEM, and dhcpduser
(from the script), but think that this could have something to do with the
differing behaviors.

/etc/named.conf

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";

    # Begin Custom Config
    auth-nxdomain yes;
        notify no;
        empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

        # IP addresses and network ranges allowed to query the DNS server:
        allow-query {
               Any;
        };

        # IP addresses and network ranges allowed to run recursive queries:
        # (Zones not served by this DNS server)
        allow-recursion {
            Any;
        };

        # Forward queries that can not be answered from own zones
        # to these DNS servers:
        forwarders {
            172.250.250.35;
        };

        # Disable zone transfers
        allow-transfer {
            none;
        };

        # Add any subnets or hosts you want to allow dynamic updates from
        allow-update {
            172.250.0.0/16;
        };
    # End Custom Config

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to
enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST
enable access
       control to limit queries to your legitimate users. Failing to do so
will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    #recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dlz "SAMDOM.biz" {
    # For BIND 9.9.0
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so -d 3";
};



Kris Lou
klou at themusiclink.net

On Wed, 23 Jan 2019 11:04:24 -0800
Kris Lou via samba <samba at lists.samba.org> wrote:
> All,
> 
> I'm hoping somebody could help explain this:  with the Wiki
> dhcp_dyndns.sh script and "allow dns updates = secure and
nonsecure",
> I have the following log snippet for a  single machine:
The two have absolutely nothing to do with each other.

You have identified the problem yourself:

From what I can tell, the DHCP update script is running successfully and
then the client is attempting to update its own DNS immediately
afterwards.

If you are using DHCP to update the dns records, you also need to stop
your clients from trying to update their own records, something the
wiki page warns about, but not obvious enough. I will fix this.

Rowland

>
>
>
>
> > All,
> >
> > I'm hoping somebody could help explain this:  with the Wiki
> > dhcp_dyndns.sh script and "allow dns updates = secure and
nonsecure",
> > I have the following log snippet for a  single machine:
>
> The two have absolutely nothing to do with each other.
>
>
OK, now I'm reading that "allow dns updates" only applies to the
Internal
DNS, not Bind_DLZ.

> You have identified the problem yourself:
>
> From what I can tell, the DHCP update script is running successfully and
> then the client is attempting to update its own DNS immediately
> afterwards.
>
> If you are using DHCP to update the dns records, you also need to stop
> your clients from trying to update their own records, something the
> wiki page warns about, but not obvious enough. I will fix this.

I guess that I want to have my cake and eat it too.  If I can't get it to
work, then that kinda makes my decision for me.

So let me see if I understand the execution chain correctly:
* Client (DHCP request) -> DHCPd receive/give lease -> DHCPd authenticates
against AD with keytab, then receives permission (as DNSAdmin) to execute
nsupdate

What does the above chain look like without DHCP-driven dynamic updates? On
"Standard" client update requests?