samba - Mar 2016 - which DNS backend ?

2016-02-29 0:05 GMT+01:00 Reindl Harald <h.reindl at thelounge.net>:
>
>
> Am 28.02.2016 um 23:54 schrieb Rowland penny:
>
>> On 28/02/16 22:42, Reindl Harald wrote:
>>
>>>
>>>
>>> Am 28.02.2016 um 23:10 schrieb Rowland penny:
>>>
>>>> On 28/02/16 21:56, Reindl Harald wrote:
>>>>
>>>>>
>>>>>
>>>>> Am 28.02.2016 um 22:22 schrieb John Gardeniers:
>>>>>
>>>>>> Thanks Rowland. Perhaps because I expected these basic
issues to have
>>>>>> been resolved long ago I never thought to check the SOA
records.
>>>>>> You are
>>>>>> perfectly correct - the second DC is not listed
>>>>>>
>>>>>
>>>>> since when is more than one NS listed in the SOA?
>>>>>
>>>>> http://rscott.org/dns/soa.html
>>>>>
>>>>> MNAME ("Primary NS") - This entry is the domain
name of the name
>>>>> server that was the original source of the data (this entry
MUST be
>>>>> your primary nameserver). This is your primary nameserver,
and MUST be
>>>>> the one and only server that you ever update. You must not
update the
>>>>> secondary server(s) -- they will update automatically,
based on this
>>>>> the SOA record. Problem? This should be a fully qualified
domain name .
>>>>>
>>>>> OK, I see where you are coming from, but, this is referring
to a normal
>>>> dns server that replicates to other secondary dns servers. AD
dns works
>>>> a little differently, all AD dns servers replicate dns records
to each
>>>> other and each AD DC is supposed to be authoritative for the
dns domain,
>>>> this does not happen if your first DC goes down when you are
using the
>>>> internal dns server. As an aside, my first DC shutdown for some
reason,
>>>> I didn't notice for a couple of hours, until I tried to
'ssh' into it, I
>>>> didn't notice because *everything* else just kept working
on my
>>>> second DC
>>>>
>>>
>>> well, that's not the business of the SOA record
>>> it's a matter of NS-records
>>>
>>>
>> If you only have one Authoritative nameserver (which is what you have
>> with the internal dns) and it disappears, then you don't have
*anything*
>> that will respond to a request for info about AD dns domain
>>
>
> sorry, but that's not a matter of SOA
>
> all your NS-records are authoritative, no matter if the yare master or
>
> slave, the format of the SOA record is pretty clear
>
> https://support.dnsimple.com/articles/soa-record/
> ns1.dnsimple.com admin.dnsimple.com 2013022001 86400 7200 604800 300
>
> nothing will change the SOA format because it's defined far away from
> samba and the implementation https://www.ietf.org/rfc/rfc1912.txt
>
> otherwise show me how you imageine a SOA record listing more than one
> nameserver would look like when the second filed is by defintion the admin
> contact
>
>
Several SOA is easy to design without breaking RFC: as every DNS server in
AD is able to modify the zone, every DNS server in AD is SOA. As any DNS
server is SOA and only one SOA can be returned, these DNS server must reply
"I am SOA".
10 DC running a DNS server.
One client asking to DC07 for SOA.
DC07 replies "SOA is DC07".
One client asking to DC02 for SOA.
DC02 replies "SOA is DC02".

This client ask for NS, all DNS server will reply 10 entries, one per DC
which is name server.

A DC don't need to be name server.

Am 01.03.2016 um 11:23 schrieb mathias dufresne:
> Several SOA is easy to design without breaking RFC: as every DNS server
> in AD is able to modify the zone, every DNS server in AD is SOA. As any
> DNS server is SOA and only one SOA can be returned, these DNS server
> must reply "I am SOA".
> 10 DC running a DNS server.
> One client asking to DC07 for SOA.
> DC07 replies "SOA is DC07".
> One client asking to DC02 for SOA.
> DC02 replies "SOA is DC02".
yes, but that's not a SOA containing two nameservers - period
nothing else is what i criticized because the term is wrong

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160301/104aac19/signature.sig>

On 01/03/16 13:23, Reindl Harald wrote:
>
>
> Am 01.03.2016 um 11:23 schrieb mathias dufresne:
>> Several SOA is easy to design without breaking RFC: as every DNS server
>> in AD is able to modify the zone, every DNS server in AD is SOA. As any
>> DNS server is SOA and only one SOA can be returned, these DNS server
>> must reply "I am SOA".
>> 10 DC running a DNS server.
>> One client asking to DC07 for SOA.
>> DC07 replies "SOA is DC07".
>> One client asking to DC02 for SOA.
>> DC02 replies "SOA is DC02".
>
> yes, but that's not a SOA containing two nameservers - period
> nothing else is what i criticized because the term is wrong
>
>
>
OK, lets use 'nslookup' to get the SOA record from my netbook:

rowland at debnet:~$ nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.5
Address:    192.168.0.5#53

samdom.example.com
     origin = dc1.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 185
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

This shows that 'dc1.samdom.example.com' is authoritative for the
domain.

Lets change the server that 'nslookup' uses:

 > server 192.168.0.6
Default server: 192.168.0.6
Address: 192.168.0.6#53

Now rerun the soa lookup:

 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.6
Address:    192.168.0.6#53

samdom.example.com
     origin = dc2.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 185
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600
 >

Different server, different Authoritative server, *BUT* there is only 
one SOA record in AD:

dn: 
DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20151106115624.0Z
uSNCreated: 3657
showInAdvancedViewOnly: TRUE
name: @
objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d
objectCategory: 
CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
dc: @
whenChanged: 20160226163554.0Z
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x004f (79)
         wType                    : DNS_TYPE_SOA (6)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x000000b8 (184)
        dwTtlSeconds             : 0x00000e10 (3600)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00378778 (3639160)
         data                     : union dnsRecordData(case 6)
         soa: struct dnsp_soa
             serial                   : 0x000000b9 (185)
             refresh                  : 0x00000384 (900)
             retry                    : 0x00000258 (600)
             expire                   : 0x00015180 (86400)
             minimum                  : 0x00000e10 (3600)
             mname                    : dc1.samdom.example.com
             rname                    : hostmaster.samdom.example.com

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x001a (26)
         wType                    : DNS_TYPE_NS (2)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x000000b8 (184)
         dwTtlSeconds             : 0x00000384 (900)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 2)
         ns                       : dc1.samdom.example.com

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x001a (26)
         wType                    : DNS_TYPE_NS (2)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x000000b8 (184)
         dwTtlSeconds             : 0x00000384 (900)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00377e1b (3636763)
         data                     : union dnsRecordData(case 2)
         ns                       : dc2.samdom.example.com

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x0004 (4)
         wType                    : DNS_TYPE_A (1)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x000000b8 (184)
         dwTtlSeconds             : 0x00000384 (900)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 1)
         ipv4                     : 192.168.0.5

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x0004 (4)
         wType                    : DNS_TYPE_A (1)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x000000b8 (184)
         dwTtlSeconds             : 0x00000384 (900)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00377cfa (3636474)
         data                     : union dnsRecordData(case 1)
         ipv4                     : 192.168.0.6

uSNChanged: 117981
distinguishedName: 
DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com

Does that convince you ???

Rowland