On 01/03/16 13:23, Reindl Harald wrote:> > > Am 01.03.2016 um 11:23 schrieb mathias dufresne: >> Several SOA is easy to design without breaking RFC: as every DNS server >> in AD is able to modify the zone, every DNS server in AD is SOA. As any >> DNS server is SOA and only one SOA can be returned, these DNS server >> must reply "I am SOA". >> 10 DC running a DNS server. >> One client asking to DC07 for SOA. >> DC07 replies "SOA is DC07". >> One client asking to DC02 for SOA. >> DC02 replies "SOA is DC02". > > yes, but that's not a SOA containing two nameservers - period > nothing else is what i criticized because the term is wrong > > >OK, lets use 'nslookup' to get the SOA record from my netbook: rowland at debnet:~$ nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.5 Address: 192.168.0.5#53 samdom.example.com origin = dc1.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 185 refresh = 900 retry = 600 expire = 86400 minimum = 3600 This shows that 'dc1.samdom.example.com' is authoritative for the domain. Lets change the server that 'nslookup' uses: > server 192.168.0.6 Default server: 192.168.0.6 Address: 192.168.0.6#53 Now rerun the soa lookup: > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 185 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > Different server, different Authoritative server, *BUT* there is only one SOA record in AD: dn: DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20151106115624.0Z uSNCreated: 3657 showInAdvancedViewOnly: TRUE name: @ objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com dc: @ whenChanged: 20160226163554.0Z dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x004f (79) wType : DNS_TYPE_SOA (6) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x000000b8 (184) dwTtlSeconds : 0x00000e10 (3600) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00378778 (3639160) data : union dnsRecordData(case 6) soa: struct dnsp_soa serial : 0x000000b9 (185) refresh : 0x00000384 (900) retry : 0x00000258 (600) expire : 0x00015180 (86400) minimum : 0x00000e10 (3600) mname : dc1.samdom.example.com rname : hostmaster.samdom.example.com dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x001a (26) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x000000b8 (184) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 2) ns : dc1.samdom.example.com dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x001a (26) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x000000b8 (184) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00377e1b (3636763) data : union dnsRecordData(case 2) ns : dc2.samdom.example.com dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x000000b8 (184) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 192.168.0.5 dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x000000b8 (184) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00377cfa (3636474) data : union dnsRecordData(case 1) ipv4 : 192.168.0.6 uSNChanged: 117981 distinguishedName: DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com Does that convince you ??? Rowland
Am 01.03.2016 um 14:50 schrieb Rowland penny:> On 01/03/16 13:23, Reindl Harald wrote: >> >> Am 01.03.2016 um 11:23 schrieb mathias dufresne: >>> Several SOA is easy to design without breaking RFC: as every DNS server >>> in AD is able to modify the zone, every DNS server in AD is SOA. As any >>> DNS server is SOA and only one SOA can be returned, these DNS server >>> must reply "I am SOA". >>> 10 DC running a DNS server. >>> One client asking to DC07 for SOA. >>> DC07 replies "SOA is DC07". >>> One client asking to DC02 for SOA. >>> DC02 replies "SOA is DC02". >> >> yes, but that's not a SOA containing two nameservers - period >> nothing else is what i criticized because the term is wrong > > OK, lets use 'nslookup' to get the SOA record from my netbook: > This shows that 'dc1.samdom.example.com' is authoritative for the domain. > Lets change the server that 'nslookup' uses: > Different server, different Authoritative server, *BUT* there is only > one SOA record in AD > Does that convince you ???there is nothing to convince we are talking about different things i spoke only with my DNS admin hat on that's it -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160301/2788cb53/signature.sig>
On 01/03/16 14:07, Reindl Harald wrote:> > > Am 01.03.2016 um 14:50 schrieb Rowland penny: >> On 01/03/16 13:23, Reindl Harald wrote: >>> >>> Am 01.03.2016 um 11:23 schrieb mathias dufresne: >>>> Several SOA is easy to design without breaking RFC: as every DNS >>>> server >>>> in AD is able to modify the zone, every DNS server in AD is SOA. As >>>> any >>>> DNS server is SOA and only one SOA can be returned, these DNS server >>>> must reply "I am SOA". >>>> 10 DC running a DNS server. >>>> One client asking to DC07 for SOA. >>>> DC07 replies "SOA is DC07". >>>> One client asking to DC02 for SOA. >>>> DC02 replies "SOA is DC02". >>> >>> yes, but that's not a SOA containing two nameservers - period >>> nothing else is what i criticized because the term is wrong >> >> OK, lets use 'nslookup' to get the SOA record from my netbook: >> This shows that 'dc1.samdom.example.com' is authoritative for the >> domain. >> Lets change the server that 'nslookup' uses: >> Different server, different Authoritative server, *BUT* there is only >> one SOA record in AD >> Does that convince you ??? > > there is nothing to convince > > we are talking about different things > i spoke only with my DNS admin hat on > that's it > > >Well, we are getting somewhere, not sure where though :-) Normal dns is 99% similar to AD dns, the only difference that I can see, is that you can have a SOA record that has multiple authoritative servers, but only one at once. Rowland
Hi Reindl, For me there lot of misunderstanding around DNS, especially when it comes to AD and a bit more when that AD is Samba AD. This thread just shows that once more time. I'm relatively new in DNS world and learnt a lot these last months, thanks to colleagues who are daily DNS admins and who accept to enlighten me a little bit. You claim to be a DNS admin and you said Rowland and you are speaking about different things. Can you please develop? Telling us what are these different things at least could help us to understand what are differences between these two things you were thinking about. I expect these two different things are clearly exposed in previous mails but for me what are they is not clearly enough exposed, not for I can see what you are thinking about with my little knowledge of DNS. And the bad point is my little knowledge is very little when I face DNS protocol questions but seems rather big when I speak with my colleagues or sometimes even on the list. So if someone knowing _really_ DNS take time to share knowledge, in a way understandable by stupid-non-dns-admin (me and certainly some readers on the back-benches), that would be great for all of us. Cheers, mathias 2016-03-01 15:07 GMT+01:00 Reindl Harald <h.reindl at thelounge.net>:> > > Am 01.03.2016 um 14:50 schrieb Rowland penny: > >> On 01/03/16 13:23, Reindl Harald wrote: >> >>> >>> Am 01.03.2016 um 11:23 schrieb mathias dufresne: >>> >>>> Several SOA is easy to design without breaking RFC: as every DNS server >>>> in AD is able to modify the zone, every DNS server in AD is SOA. As any >>>> DNS server is SOA and only one SOA can be returned, these DNS server >>>> must reply "I am SOA". >>>> 10 DC running a DNS server. >>>> One client asking to DC07 for SOA. >>>> DC07 replies "SOA is DC07". >>>> One client asking to DC02 for SOA. >>>> DC02 replies "SOA is DC02". >>>> >>> >>> yes, but that's not a SOA containing two nameservers - period >>> nothing else is what i criticized because the term is wrong >>> >> >> OK, lets use 'nslookup' to get the SOA record from my netbook: >> This shows that 'dc1.samdom.example.com' is authoritative for the domain. >> Lets change the server that 'nslookup' uses: >> Different server, different Authoritative server, *BUT* there is only >> one SOA record in AD >> Does that convince you ??? >> > > there is nothing to convince > > we are talking about different things > i spoke only with my DNS admin hat on > that's it > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >