On Wed, Jun 7, 2017 at 5:24 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 7 Jun 2017 15:45:39 +1200 > Garming Sam <garming at catalyst.net.nz> wrote: > > > It looks like the original intention in our code was to be able to > > add/modify records with the "." zone. Trying it, there seems to be > > other issues with using it. I'm not entirely sure if this alias is > > valid against Windows or for which calls. > > The zone is definitely called 'RootDNSServers' not '.' > > If something looks like a duck, walks like a duck and quacks like a > duck, it is a duck. > > The object in AD for 'RootDNSServers' looks like a zone record, it is > in 'CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com' and > it has the 'objectClass' dnsZone, therefore it is a zone. > > Samba needs to see this zone before we can even think about > updating/changing the root records. > > What is the difference between: > > DC=devstation,DC=samdom.example.com,CN=MicrosoftDNS, > DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > and > > DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC> samdom,DC=example,DC=com > > The difference is that you can update the first record, but you cannot > update the second, even though they are both valid DNS records in a > zone. The only difference is that the 'samdom.example.com' zone is > recognised by Samba and 'RootDNSServers' isn't > > Sorry, but I will not be testing your patches, they are the wrong fix, > Samba needs to see the 'RootDNSServers' zone. > >Samba (including internal dns server and bind-dlz module) has no use for DC=RootDNSServers zone. This zone is created and maintained primarily to interoperate with windows AD servers running DNS service. I don't see any reason why we need tools to manipulate the entries in that zone. If you are running windows AD server with DNS service, you can update the root hints using windows tools. Amitay.
On Thu, 8 Jun 2017 19:35:19 +1000 Amitay Isaacs <amitay at gmail.com> wrote:> > > Samba (including internal dns server and bind-dlz module) has no use > for DC=RootDNSServers zone. > > This zone is created and maintained primarily to interoperate with > windows AD servers running DNS service. > > I don't see any reason why we need tools to manipulate the entries in > that zone. If you are running windows AD server with DNS service, > you can update the root hints using windows tools. > > Amitay.Sorry, I have just tried this and I cannot update the records on windows. Whilst ADSI Edit shows 'DC=h.root-servers.net', it just shows 'There are no items to show in this view'. The DNS Manager doesn't show the root records. Rowland
On Thu, Jun 8, 2017 at 7:45 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 8 Jun 2017 19:35:19 +1000 > Amitay Isaacs <amitay at gmail.com> wrote: > > > > > > Samba (including internal dns server and bind-dlz module) has no use > > for DC=RootDNSServers zone. > > > > This zone is created and maintained primarily to interoperate with > > windows AD servers running DNS service. > > > > I don't see any reason why we need tools to manipulate the entries in > > that zone. If you are running windows AD server with DNS service, > > you can update the root hints using windows tools. > > > > Amitay. > > Sorry, I have just tried this and I cannot update the records on > windows. Whilst ADSI Edit shows 'DC=h.root-servers.net', it just shows > 'There are no items to show in this view'. The DNS Manager doesn't show > the root records. >May be the records are not meant to be modified. No one should hijack the name resolution authority and may be that's why MS doesn't allow you to modify the records. On most linux distributions, BIND package ships with the root servers list. Amitay.
On Thu, 8 Jun 2017 10:45:49 +0100, Rowland Penny <rpenny at samba.org> wrote:>On Thu, 8 Jun 2017 19:35:19 +1000 >Amitay Isaacs <amitay at gmail.com> wrote: > >> > >> Samba (including internal dns server and bind-dlz module) has no use >> for DC=RootDNSServers zone. >> >> This zone is created and maintained primarily to interoperate with >> windows AD servers running DNS service. >> >> I don't see any reason why we need tools to manipulate the entries in >> that zone. If you are running windows AD server with DNS service, >> you can update the root hints using windows tools.Yes, I can for a 'real' Windows DNS service, but not for the Samba internal DNS. In any case, while bind was reporting the correct addresses for dig -t any '.' they may have come from one of our forwarders, since my bind configuration didn't include the '.' zone definition.>Sorry, I have just tried this and I cannot update the records on >windows. Whilst ADSI Edit shows 'DC=h.root-servers.net', it just shows >'There are no items to show in this view'. The DNS Manager doesn't show >the root records.Yeah, that's basically what Amitay said: You can update the root hints, if you are running a _Windows_ DNS service. For Samba, that's obviously considered irrelevant. However, aside from warnings in the named.log that for me most probably were caused by the missing '.' zone configuration statements, it is very confusing to have the Windows DNS management report other root servers than those actually defined in the bind configuration. Thus, I wouldn't call this a purely cosmetical issue, but an inconsistency between databases that should be in sync... Anyway, my initial problem is seemingly solved now. Thank you and best regards, Torsten