Hi,
we are running a Samba AD on UCS 4.2, which comes with Samba 4.6.1.
The DNS server (192.168.0.200) is operated by bind with the samba DLZ
module. It also hosts several zones outside of samba.
Every couple of hours, I get messages like these on the server:
Jun 5 23:04:58 ucsdc1 daemon:[warning] checkhints:
h.root-servers.net/A (198.97.190.53) missing from hints
Jun 5 23:04:58 ucsdc1 daemon:[warning] checkhints:
h.root-servers.net/A (128.63.2.53) extra record in hints
Jun 5 23:06:48 ucsdc1 daemon:[warning] checkhints:
h.root-servers.net/A (198.97.190.53) missing from hints
Jun 5 23:06:48 ucsdc1 daemon:[warning] checkhints:
h.root-servers.net/A (128.63.2.53) extra record in hints
This is because h.root-servers.net transitioned to a new IP in the
one any a half year ago.
[https://www.isc.org/blogs/h-root-will-change-its-addresses-on-1-december-2015-what-does-this-mean-for-you/]
I updated the relevant section in my /etc/bind/db.root that now looks
like this:
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
'dig -t any 192.168.0.200' says:
h.root-servers.net. 57555 IN A 198.97.190.53
h.root-servers.net. 57555 IN AAAA 2001:500:1::53
However, the messages keep appearing in the log. After some
digging I found that 'samba-tool dns roothints 192.168.0.200' says:
Name=h.root-servers.net., Records=1, Children=0
A: 128.63.2.53 (flags=8, serial=0, ttl=0)
If I try to update this entry in the Windows DNS management console, I
get an error message:
Failure to write NS record <h.root-servers.net>
Der Name ist nicht vorhanden.
(Last part is German - Unfortunately, I don't have an English Windows
version at my disposal, but loosely translated it would be something
like "The name could not be found".)
Thus, my question is: What is the correct way to update Samba's root
hints?
Thank you and best regards,
Torsten
A quick search on Google gives: http://www.unixfu .ch/how-do-i-update-the-root-hints-data-file-for-bind-named-server/ Best regards, Marcel de Reuver 2017-06-06 11:36 GMT+02:00 Torsten Kurbad via samba <samba at lists.samba.org>:> Hi, > > we are running a Samba AD on UCS 4.2, which comes with Samba 4.6.1. > > The DNS server (192.168.0.200) is operated by bind with the samba DLZ > module. It also hosts several zones outside of samba. > > Every couple of hours, I get messages like these on the server: > > Jun 5 23:04:58 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (198.97.190.53) missing from hints > Jun 5 23:04:58 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (128.63.2.53) extra record in hints > Jun 5 23:06:48 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (198.97.190.53) missing from hints > Jun 5 23:06:48 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (128.63.2.53) extra record in hints > > This is because h.root-servers.net transitioned to a new IP in the > one any a half year ago. > [https://www.isc.org/blogs/h-root-will-change-its- > addresses-on-1-december-2015-what-does-this-mean-for-you/] > > I updated the relevant section in my /etc/bind/db.root that now looks > like this: > > ; > ; FORMERLY AOS.ARL.ARMY.MIL > ; > . 3600000 NS H.ROOT-SERVERS.NET. > H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 > H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 > > 'dig -t any 192.168.0.200' says: > > h.root-servers.net. 57555 IN A 198.97.190.53 > h.root-servers.net. 57555 IN AAAA 2001:500:1::53 > > However, the messages keep appearing in the log. After some > digging I found that 'samba-tool dns roothints 192.168.0.200' says: > > Name=h.root-servers.net., Records=1, Children=0 > A: 128.63.2.53 (flags=8, serial=0, ttl=0) > > If I try to update this entry in the Windows DNS management console, I > get an error message: > > Failure to write NS record <h.root-servers.net> > Der Name ist nicht vorhanden. > > (Last part is German - Unfortunately, I don't have an English Windows > version at my disposal, but loosely translated it would be something > like "The name could not be found".) > > Thus, my question is: What is the correct way to update Samba's root > hints? > > Thank you and best regards, > Torsten > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 6 Jun 2017 13:06:42 +0200 Marcel de Reuver via samba <samba at lists.samba.org> wrote:> A quick search on Google gives: http://www.unixfu > .ch/how-do-i-update-the-root-hints-data-file-for-bind-named-server/ >The OP basically did that manually, but it didn't change the record in AD. The record is an 'A' record, but 'samba-tool dns update' will not change it, because it claims the zone does not exist. The record has this DN: DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com So the zone seems to be 'RootDNSServers' but this doesn't seem to exist :-( Rowland
Hi, Let me try to clear some confusion. On Tue, Jun 6, 2017 at 7:36 PM, Torsten Kurbad via samba < samba at lists.samba.org> wrote:> Hi, > > we are running a Samba AD on UCS 4.2, which comes with Samba 4.6.1. > > The DNS server (192.168.0.200) is operated by bind with the samba DLZ > module. It also hosts several zones outside of samba. > > Every couple of hours, I get messages like these on the server: > > Jun 5 23:04:58 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (198.97.190.53) missing from hints > Jun 5 23:04:58 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (128.63.2.53) extra record in hints > Jun 5 23:06:48 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (198.97.190.53) missing from hints > Jun 5 23:06:48 ucsdc1 daemon:[warning] checkhints: > h.root-servers.net/A (128.63.2.53) extra record in hints > > This is because h.root-servers.net transitioned to a new IP in the > one any a half year ago. > [https://www.isc.org/blogs/h-root-will-change-its- > addresses-on-1-december-2015-what-does-this-mean-for-you/] > > I updated the relevant section in my /etc/bind/db.root that now looks > like this: > > ; > ; FORMERLY AOS.ARL.ARMY.MIL > ; > . 3600000 NS H.ROOT-SERVERS.NET. > H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 > H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 > > 'dig -t any 192.168.0.200' says: > > h.root-servers.net. 57555 IN A 198.97.190.53 > h.root-servers.net. 57555 IN AAAA 2001:500:1::53 > >Samba's bind-dlz module does not export root hints to BIND named. So the error you are seeing is an issue with your bind configuration. Please check your named configuration and you will find an entry like: zone "." IN { type hint; file "db.root; }; This tells named to use the entries from db.root file as hints on the root (.) domain. If you look at the output from bind-dlz module, it will something like: 08-Jun-2017 18:59:51.134 samba_dlz: started for DN DC=lindom,DC=example,DC=local 08-Jun-2017 18:59:51.134 samba_dlz: starting configure 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone 'lindom.example.local' 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone '_msdcs.lindom.example.local' This tells that named will use bind_dlz module for 2 zones (lindom.example.local and _msdcs.lindom.example.local).> However, the messages keep appearing in the log. After some > digging I found that 'samba-tool dns roothints 192.168.0.200' says: > > Name=h.root-servers.net., Records=1, Children=0 > A: 128.63.2.53 (flags=8, serial=0, ttl=0) > > If I try to update this entry in the Windows DNS management console, I > get an error message: > > Failure to write NS record <h.root-servers.net> > Der Name ist nicht vorhanden. > > (Last part is German - Unfortunately, I don't have an English Windows > version at my disposal, but loosely translated it would be something > like "The name could not be found".) > > Thus, my question is: What is the correct way to update Samba's root > hints? > >The only reason for keeping the RootDNSServers zone in the AD database is to interoperate with windows AD server running DNS service. So updating DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones zone for changing root servers is absolutely useless with bind-dlz set up. BIND named will never look at the entries in this zone for root domain hints. Amitay.
On Thu, 8 Jun 2017 19:19:21 +1000 Amitay Isaacs via samba <samba at lists.samba.org> wrote:> Hi, > > Let me try to clear some confusion. > > On Tue, Jun 6, 2017 at 7:36 PM, Torsten Kurbad via samba < > samba at lists.samba.org> wrote:> Samba's bind-dlz module does not export root hints to BIND named. So > the error you are seeing is an issue with your bind configuration. > > Please check your named configuration and you will find an entry like: > > zone "." IN { > type hint; > file "db.root; > }; > > This tells named to use the entries from db.root file as hints on the > root (.) domain. > > If you look at the output from bind-dlz module, it will something > like: > > 08-Jun-2017 18:59:51.134 samba_dlz: started for DN > DC=lindom,DC=example,DC=local > 08-Jun-2017 18:59:51.134 samba_dlz: starting configure > 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone > 'lindom.example.local' > 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone > '_msdcs.lindom.example.local' > > This tells that named will use bind_dlz module for 2 zones > (lindom.example.local and _msdcs.lindom.example.local). >Yes, this is what happens for me, along with the reverse zone.> > > The only reason for keeping the RootDNSServers zone in the AD > database is to interoperate with windows AD server running DNS > service. > > So updating DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones > zone for changing root servers is absolutely useless with bind-dlz > set up. BIND named will never look at the entries in this zone for > root domain hints. >What does the internal dns server do ? where does it get the root servers from ? Is there some reason not to use the 'RootDNSServers' zone with Bind9 ? Rowland