thr3ads.net - samba - [Samba] [BIND_DLZ] Dynamic DNS updates doesn't work for domain clients [Sep 2025]

If this information is useful, please help other people find it:
Share via:

Thomas Keppler

2025-Sep-02 22:13 UTC

[Samba] [BIND_DLZ] Dynamic DNS updates doesn't work for domain clients

Hello everyone,

I've recently upgraded a majority of my infrastructure that uses Samba AD DC
(4.22.3-Debian-4.22.3+dfsg-4 on Debian 13) as its Domain Controller. Since
we've moved away from stationary clients with reserved DHCP IPs, I've
tried testing dynamic IP updates. This leads to the following errors in
BIND's logs:

------------ 8< ------------
security: client @0x7fcf9ac4a400 192.168.0.250#59559: request is not signed
security: client @0x7fcf9ac4a400 192.168.0.250#59559: recursion available
security: client @0x7fcf9ac4a400 192.168.0.250#59559
(some-machine.ad.example.com): query
'some-machine.ad.example.com/SOA/IN' approved
security: client @0x7fcf9ac4a400 192.168.0.250#59559
(some-machine.ad.example.com): reset client
security: client @0x7fcf9ac46c00 192.168.0.250#64822: request is not signed
security: client @0x7fcf9ac46c00 192.168.0.250#64822: recursion available
security: client @0x7fcf9ac46c00 192.168.0.250#64822 (dc.ad.example.com): query
'dc.ad.example.com/A/IN' approved
security: client @0x7fcf9ac46c00 192.168.0.250#64822 (dc.ad.example.com): reset
client
security: client @0x7fcfa2aff400 192.168.0.250#51731: request is not signed
security: client @0x7fcfa2aff400 192.168.0.250#51731: recursion available
update-security: client @0x7fcfa2aff400 192.168.0.250#51731: update
'ad.example.com/IN' denied
security: client @0x7fcfa2aff400 192.168.0.250#51731: reset client
security: client @0x7fcfa2afd800 192.168.0.250#52937: request has invalid
signature: TSIG 1532-ms-7.4294-4cc9ff05.5aa87f89-7c8f-11f0-bf08-aabbc0a800fa:
tsig
security: client @0x7fcfa2afd800 192.168.0.250#52937: recursion available
security: client @0x7fcfa2afd800 192.168.0.250#52937: reset client
------------ >8 ------------

I've already worked through the "Testing Dynamic DNS Updates" and
"Dns tkey negotiategss: TKEY is unacceptable" troubleshooting steps,
as these were the first errors I was getting. However, that is resolved now and
I can run `samba_dnsupdate --verbose --all-names` on the DC without issues. I
have also recreated the `dns.keytab`, BIND AD account and ran the DNS upgrade
again.

If you've got any pointers or ideas where to look and what to do next,
I'd greatly appreciate your feedback. Also, if you'd like to see any log
or config file, I'm happy to provide those, I just wanted to keep this
starter post brief.

--
Sincerely,
Thomas Keppler

samba - Sep 2025 - [BIND_DLZ] Dynamic DNS updates doesn't work for domain clients

[Samba] [BIND_DLZ] Dynamic DNS updates doesn't work for domain clients