It looks like the original intention in our code was to be able to
add/modify records with the "." zone. Trying it, there seems to be
other
issues with using it. I'm not entirely sure if this alias is valid
against Windows or for which calls.
I just hacked a patch (see attached) to see if I could add or modify
another name server.
samba-tool dns add $DC_SERVER . @ NS testing
samba-tool dns add $DC_SERVER . testing A 1.1.1.1
samba-tool dns roothints
Name=, Records=14, Children=0
NS: h.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: f.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: b.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: m.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: l.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: i.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: e.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: d.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: k.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: a.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: g.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: c.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: j.root-servers.net. (flags=40000008, serial=0, ttl=0)
NS: testing. (flags=40000008, serial=10965, ttl=900)
Name=h.root-servers.net., Records=1, Children=0
A: 128.63.2.53 (flags=8, serial=0, ttl=0)
Name=f.root-servers.net., Records=1, Children=0
A: 192.5.5.241 (flags=8, serial=0, ttl=0)
Name=b.root-servers.net., Records=1, Children=0
A: 192.228.79.201 (flags=8, serial=0, ttl=0)
Name=m.root-servers.net., Records=1, Children=0
A: 202.12.27.33 (flags=8, serial=0, ttl=0)
Name=l.root-servers.net., Records=1, Children=0
A: 199.7.83.42 (flags=8, serial=0, ttl=0)
Name=i.root-servers.net., Records=1, Children=0
A: 192.36.148.17 (flags=8, serial=0, ttl=0)
Name=e.root-servers.net., Records=1, Children=0
A: 192.203.230.10 (flags=8, serial=0, ttl=0)
Name=d.root-servers.net., Records=1, Children=0
A: 128.8.10.90 (flags=8, serial=0, ttl=0)
Name=k.root-servers.net., Records=1, Children=0
A: 193.0.14.129 (flags=8, serial=0, ttl=0)
Name=a.root-servers.net., Records=1, Children=0
A: 198.41.0.4 (flags=8, serial=0, ttl=0)
Name=g.root-servers.net., Records=1, Children=0
A: 192.112.36.4 (flags=8, serial=0, ttl=0)
Name=c.root-servers.net., Records=1, Children=0
A: 192.33.4.12 (flags=8, serial=0, ttl=0)
Name=j.root-servers.net., Records=1, Children=0
A: 192.58.128.30 (flags=8, serial=0, ttl=0)
Name=testing., Records=1, Children=0
A: 1.1.1.1 (flags=8, serial=10965, ttl=900)
Maybe the Windows DNS management console might work now. Any tests of
RootHints in python/samba/tests/samba_tool/dnscmd.py would be
appreciated. Seeing which aliases work against Windows would be a good
idea ('.' is what Samba supports for modification but is supplying
'..RootHints' as the zone also supposed to work?). I'm also not sure
if
users of the correct permission will be able (or unable) to modify this
zone.
Cheers,
Garming
On 07/06/17 02:34, Rowland Penny via samba wrote:> On Tue, 6 Jun 2017 15:26:33 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>>> Exactly.
>>>
>>> Of course, I could try and change the data using ldbedit, but AD
DNS
>>> records are stored in a binary encoded data structure that not only
>>> includes record type and value, but also a serial number, etc.
>>>
>>> Thus, such a manual change would be error prone, to say the least.
>>>
>>> Perhaps, samba-tool could be enhanced to make changing the root
>>> hints possible? It can handle "normal" DNS records, so I
wouldn't
>>> expect non-trivial showstoppers...
>>>
>> This was my first thought, but after comparing the record in AD for
>> 'RootDNSServers' with the forward zone, it is a zone, but
'samba-tool
>> dns zonelist' doesn't show it. It looks like the 'C'
code is where the
>> problem lies.
>>
>> I am going to raise a bug report for this.
>>
>> Rowland
>>
>>
>>
> see: https://bugzilla.samba.org/show_bug.cgi?id=12823
>
> Rowland
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dnsdb-Allow-modification-of-root-hints.patch
Type: text/x-patch
Size: 2603 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170607/c19b9cff/0001-dnsdb-Allow-modification-of-root-hints.bin>
On Wed, 7 Jun 2017 15:45:39 +1200 Garming Sam <garming at catalyst.net.nz> wrote:> It looks like the original intention in our code was to be able to > add/modify records with the "." zone. Trying it, there seems to be > other issues with using it. I'm not entirely sure if this alias is > valid against Windows or for which calls.The zone is definitely called 'RootDNSServers' not '.' If something looks like a duck, walks like a duck and quacks like a duck, it is a duck. The object in AD for 'RootDNSServers' looks like a zone record, it is in 'CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com' and it has the 'objectClass' dnsZone, therefore it is a zone. Samba needs to see this zone before we can even think about updating/changing the root records. What is the difference between: DC=devstation,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com and DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com The difference is that you can update the first record, but you cannot update the second, even though they are both valid DNS records in a zone. The only difference is that the 'samdom.example.com' zone is recognised by Samba and 'RootDNSServers' isn't Sorry, but I will not be testing your patches, they are the wrong fix, Samba needs to see the 'RootDNSServers' zone. Rowland
The RootDNSServers zone is special in a number of ways. It has no SOA record for instance, and so there's a lot of special casing around it. Looking on a Windows DC, dnscmd /enumzones lists dot as a zone and dnscmd /enumrecords . returns the root servers (as well as ..RootHints it seems). None of this is our choice of convention unfortunately, but it should be fairly simple to make the client tools have aliases for these. In terms of listing a name during enumeration of zones, the fact Windows lists . somehow, but I don't think we do, means there's more to be done here. It may just be some more client magic (that they've done and we may need to do) but the underlying RPC/C code which lists the zone probably shouldn't list any strange aliases that we decide. Cheers, Garming On 07/06/17 19:24, Rowland Penny via samba wrote:> On Wed, 7 Jun 2017 15:45:39 +1200 > Garming Sam <garming at catalyst.net.nz> wrote: > >> It looks like the original intention in our code was to be able to >> add/modify records with the "." zone. Trying it, there seems to be >> other issues with using it. I'm not entirely sure if this alias is >> valid against Windows or for which calls. > The zone is definitely called 'RootDNSServers' not '.' > > If something looks like a duck, walks like a duck and quacks like a > duck, it is a duck. > > The object in AD for 'RootDNSServers' looks like a zone record, it is > in 'CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com' and > it has the 'objectClass' dnsZone, therefore it is a zone. > > Samba needs to see this zone before we can even think about > updating/changing the root records. > > What is the difference between: > > DC=devstation,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > and > > DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com > > The difference is that you can update the first record, but you cannot > update the second, even though they are both valid DNS records in a > zone. The only difference is that the 'samdom.example.com' zone is > recognised by Samba and 'RootDNSServers' isn't > > Sorry, but I will not be testing your patches, they are the wrong fix, > Samba needs to see the 'RootDNSServers' zone. > > Rowland > >
On Wed, Jun 7, 2017 at 5:24 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 7 Jun 2017 15:45:39 +1200 > Garming Sam <garming at catalyst.net.nz> wrote: > > > It looks like the original intention in our code was to be able to > > add/modify records with the "." zone. Trying it, there seems to be > > other issues with using it. I'm not entirely sure if this alias is > > valid against Windows or for which calls. > > The zone is definitely called 'RootDNSServers' not '.' > > If something looks like a duck, walks like a duck and quacks like a > duck, it is a duck. > > The object in AD for 'RootDNSServers' looks like a zone record, it is > in 'CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com' and > it has the 'objectClass' dnsZone, therefore it is a zone. > > Samba needs to see this zone before we can even think about > updating/changing the root records. > > What is the difference between: > > DC=devstation,DC=samdom.example.com,CN=MicrosoftDNS, > DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > and > > DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC> samdom,DC=example,DC=com > > The difference is that you can update the first record, but you cannot > update the second, even though they are both valid DNS records in a > zone. The only difference is that the 'samdom.example.com' zone is > recognised by Samba and 'RootDNSServers' isn't > > Sorry, but I will not be testing your patches, they are the wrong fix, > Samba needs to see the 'RootDNSServers' zone. > >Samba (including internal dns server and bind-dlz module) has no use for DC=RootDNSServers zone. This zone is created and maintained primarily to interoperate with windows AD servers running DNS service. I don't see any reason why we need tools to manipulate the entries in that zone. If you are running windows AD server with DNS service, you can update the root hints using windows tools. Amitay.