samba - Feb 2016 - which DNS backend ?

On 29/02/16 10:45, Reindl Harald wrote:
>
>
> Am 29.02.2016 um 11:28 schrieb Rowland penny:
>> On 29/02/16 09:42, Reindl Harald wrote:
>>>
>>>
>>> Am 29.02.2016 um 10:10 schrieb Rowland penny:
>>>> Everything you say is valid except for when it comes to AD dns.
>>>> When you want data from a zone, you start with the SOA record,
you ask
>>>> 'who holds the records for this zone?', it replies with
the nameserver
>>>> that holds the zone records. OK so far ?
>>>>
>>>> Only problem is that with AD, *every* DC that runs a dns server
holds
>>>> the zone records. Now if you have only one NS record in the SOA
(or if
>>>> only one NS record is returned, like the internal dns server
does),
>>>> then
>>>> only one DC will be asked for the zone records, if this DC is
down,
>>>> you
>>>> don't have a nameserver to ask!
>>>
>>> than its a bug in the internal dns server only return one NS record
>>
>> Totally agree
>>
>>>
>>>> Every windows DC that runs a dns server is authoritative for
the dns
>>>> domain and has a SOA record. The only way I have found of doing
this
>>>> with a Samba DC, is to use Bind9 and add the second DCs NS
record
>>>> to the
>>>> SOA, this SOA is stored in AD
>>>
>>> how would a SOA record look like with two NS records?
>>>
>>
>> There was a thread dealing with this in December, see here for what I
>> posted then:
>>
>> https://lists.samba.org/archive/samba/2015-December/196367.html
>
> i just want to see how a "dig SOA example.lan." would look like
to
> contain two nameservers, that below form the thread is as always a SOA 
> containing one origin
>
> example.lan
>      origin = testdc1.example.lan
>      mail addr = hostmaster.example.lan
>      serial = 3
>      refresh = 900
>      retry = 600
>      expire = 86400
>      minimum = 3600
>
>
>
OK, your wish is my command :-)

root at dc1:~# dig SOA samdom.example.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA
samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.        IN    SOA

;; ANSWER SECTION:
samdom.example.com.    3600    IN    SOA    dc2.samdom.example.com. 
hostmaster.samdom.example.com. 185 900 600 86400 3600

;; AUTHORITY SECTION:
samdom.example.com.    900    IN    NS    dc1.samdom.example.com.
samdom.example.com.    900    IN    NS    dc2.samdom.example.com.

;; ADDITIONAL SECTION:
dc1.samdom.example.com.    900    IN    A    192.168.0.5
dc2.samdom.example.com.    900    IN    A    192.168.0.6

;; Query time: 8 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Mon Feb 29 11:28:10 GMT 2016
;; MSG SIZE  rcvd: 162

Rowland

Am 29.02.2016 um 12:29 schrieb Rowland penny:
> On 29/02/16 10:45, Reindl Harald wrote:
>>
>>
>> Am 29.02.2016 um 11:28 schrieb Rowland penny:
>>> On 29/02/16 09:42, Reindl Harald wrote:
>>>>
>>>>
>>>> Am 29.02.2016 um 10:10 schrieb Rowland penny:
>>>>> Everything you say is valid except for when it comes to AD
dns.
>>>>> When you want data from a zone, you start with the SOA
record, you ask
>>>>> 'who holds the records for this zone?', it replies
with the nameserver
>>>>> that holds the zone records. OK so far ?
>>>>>
>>>>> Only problem is that with AD, *every* DC that runs a dns
server holds
>>>>> the zone records. Now if you have only one NS record in the
SOA (or if
>>>>> only one NS record is returned, like the internal dns
server does),
>>>>> then
>>>>> only one DC will be asked for the zone records, if this DC
is down,
>>>>> you
>>>>> don't have a nameserver to ask!
>>>>
>>>> than its a bug in the internal dns server only return one NS
record
>>>
>>> Totally agree
>>>
>>>>
>>>>> Every windows DC that runs a dns server is authoritative
for the dns
>>>>> domain and has a SOA record. The only way I have found of
doing this
>>>>> with a Samba DC, is to use Bind9 and add the second DCs NS
record
>>>>> to the
>>>>> SOA, this SOA is stored in AD
>>>>
>>>> how would a SOA record look like with two NS records?
>>>>
>>>
>>> There was a thread dealing with this in December, see here for what
I
>>> posted then:
>>>
>>> https://lists.samba.org/archive/samba/2015-December/196367.html
>>
>> i just want to see how a "dig SOA example.lan." would look
like to
>> contain two nameservers, that below form the thread is as always a SOA
>> containing one origin
>>
>> example.lan
>>      origin = testdc1.example.lan
>>      mail addr = hostmaster.example.lan
>>      serial = 3
>>      refresh = 900
>>      retry = 600
>>      expire = 86400
>>      minimum = 3600
>
> OK, your wish is my command :-)
as i say all the time - the SOA record has only one nameserver

;; ANSWER SECTION:
samdom.example.com.    3600    IN    SOA    dc2.samdom.example.com. 
hostmaster.samdom.example.com. 185 900 600 86400 3600

that's the SOA and nothing else :-)

 > ;; AUTHORITY SECTION:
 > samdom.example.com.    900    IN    NS    dc1.samdom.example.com.
 > samdom.example.com.    900    IN    NS    dc2.samdom.example.com.

these are NS records
> root at dc1:~# dig SOA samdom.example.com
>
> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA
samdom.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;samdom.example.com.        IN    SOA
>
> ;; ANSWER SECTION:
> samdom.example.com.    3600    IN    SOA    dc2.samdom.example.com.
> hostmaster.samdom.example.com. 185 900 600 86400 3600
>
> ;; AUTHORITY SECTION:
> samdom.example.com.    900    IN    NS    dc1.samdom.example.com.
> samdom.example.com.    900    IN    NS    dc2.samdom.example.com.
>
> ;; ADDITIONAL SECTION:
> dc1.samdom.example.com.    900    IN    A    192.168.0.5
> dc2.samdom.example.com.    900    IN    A    192.168.0.6
>
> ;; Query time: 8 msec
> ;; SERVER: 192.168.0.6#53(192.168.0.6)
> ;; WHEN: Mon Feb 29 11:28:10 GMT 2016
> ;; MSG SIZE  rcvd: 162
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160229/6a6f8003/signature.sig>

On 29/02/16 11:51, Reindl Harald wrote:
>
>
> Am 29.02.2016 um 12:29 schrieb Rowland penny:
>> On 29/02/16 10:45, Reindl Harald wrote:
>>>
>>>
>>> Am 29.02.2016 um 11:28 schrieb Rowland penny:
>>>> On 29/02/16 09:42, Reindl Harald wrote:
>>>>>
>>>>>
>>>>> Am 29.02.2016 um 10:10 schrieb Rowland penny:
>>>>>> Everything you say is valid except for when it comes to
AD dns.
>>>>>> When you want data from a zone, you start with the SOA
record,
>>>>>> you ask
>>>>>> 'who holds the records for this zone?', it
replies with the
>>>>>> nameserver
>>>>>> that holds the zone records. OK so far ?
>>>>>>
>>>>>> Only problem is that with AD, *every* DC that runs a
dns server
>>>>>> holds
>>>>>> the zone records. Now if you have only one NS record in
the SOA
>>>>>> (or if
>>>>>> only one NS record is returned, like the internal dns
server does),
>>>>>> then
>>>>>> only one DC will be asked for the zone records, if this
DC is down,
>>>>>> you
>>>>>> don't have a nameserver to ask!
>>>>>
>>>>> than its a bug in the internal dns server only return one
NS record
>>>>
>>>> Totally agree
>>>>
>>>>>
>>>>>> Every windows DC that runs a dns server is
authoritative for the dns
>>>>>> domain and has a SOA record. The only way I have found
of doing this
>>>>>> with a Samba DC, is to use Bind9 and add the second DCs
NS record
>>>>>> to the
>>>>>> SOA, this SOA is stored in AD
>>>>>
>>>>> how would a SOA record look like with two NS records?
>>>>>
>>>>
>>>> There was a thread dealing with this in December, see here for
what I
>>>> posted then:
>>>>
>>>> https://lists.samba.org/archive/samba/2015-December/196367.html
>>>
>>> i just want to see how a "dig SOA example.lan." would
look like to
>>> contain two nameservers, that below form the thread is as always a
SOA
>>> containing one origin
>>>
>>> example.lan
>>>      origin = testdc1.example.lan
>>>      mail addr = hostmaster.example.lan
>>>      serial = 3
>>>      refresh = 900
>>>      retry = 600
>>>      expire = 86400
>>>      minimum = 3600
>>
>> OK, your wish is my command :-)
>
> as i say all the time - the SOA record has only one nameserver
>
> ;; ANSWER SECTION:
> samdom.example.com.    3600    IN    SOA dc2.samdom.example.com. 
> hostmaster.samdom.example.com. 185 900 600 86400 3600
>
> that's the SOA and nothing else :-)
>
> > ;; AUTHORITY SECTION:
> > samdom.example.com.    900    IN    NS dc1.samdom.example.com.
> > samdom.example.com.    900    IN    NS dc2.samdom.example.com.
>
> these are NS records
>
>> root at dc1:~# dig SOA samdom.example.com
>>
>> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA
samdom.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;samdom.example.com.        IN    SOA
>>
>> ;; ANSWER SECTION:
>> samdom.example.com.    3600    IN    SOA dc2.samdom.example.com.
>> hostmaster.samdom.example.com. 185 900 600 86400 3600
>>
>> ;; AUTHORITY SECTION:
>> samdom.example.com.    900    IN    NS dc1.samdom.example.com.
>> samdom.example.com.    900    IN    NS dc2.samdom.example.com.
>>
>> ;; ADDITIONAL SECTION:
>> dc1.samdom.example.com.    900    IN    A    192.168.0.5
>> dc2.samdom.example.com.    900    IN    A    192.168.0.6
>>
>> ;; Query time: 8 msec
>> ;; SERVER: 192.168.0.6#53(192.168.0.6)
>> ;; WHEN: Mon Feb 29 11:28:10 GMT 2016
>> ;; MSG SIZE  rcvd: 162
>
>
>
OK, same command run on the second DC:

root at dc2:~# dig SOA samdom.example.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA
samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24665
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.        IN    SOA

;; ANSWER SECTION:
samdom.example.com.    3600    IN    SOA    dc1.samdom.example.com. 
hostmaster.samdom.example.com. 185 900 600 86400 3600

;; AUTHORITY SECTION:
samdom.example.com.    900    IN    NS    dc2.samdom.example.com.
samdom.example.com.    900    IN    NS    dc1.samdom.example.com.

;; ADDITIONAL SECTION:
dc1.samdom.example.com.    900    IN    A    192.168.0.5
dc2.samdom.example.com.    900    IN    A    192.168.0.6

;; Query time: 2 msec
;; SERVER: 192.168.0.5#53(192.168.0.5)
;; WHEN: Mon Feb 29 12:01:23 GMT 2016
;; MSG SIZE  rcvd: 162

Rowland