On Thu, 8 Jun 2017 19:19:21 +1000 Amitay Isaacs via samba <samba at lists.samba.org> wrote:> Hi, > > Let me try to clear some confusion. > > On Tue, Jun 6, 2017 at 7:36 PM, Torsten Kurbad via samba < > samba at lists.samba.org> wrote:> Samba's bind-dlz module does not export root hints to BIND named. So > the error you are seeing is an issue with your bind configuration. > > Please check your named configuration and you will find an entry like: > > zone "." IN { > type hint; > file "db.root; > }; > > This tells named to use the entries from db.root file as hints on the > root (.) domain. > > If you look at the output from bind-dlz module, it will something > like: > > 08-Jun-2017 18:59:51.134 samba_dlz: started for DN > DC=lindom,DC=example,DC=local > 08-Jun-2017 18:59:51.134 samba_dlz: starting configure > 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone > 'lindom.example.local' > 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone > '_msdcs.lindom.example.local' > > This tells that named will use bind_dlz module for 2 zones > (lindom.example.local and _msdcs.lindom.example.local). >Yes, this is what happens for me, along with the reverse zone.> > > The only reason for keeping the RootDNSServers zone in the AD > database is to interoperate with windows AD server running DNS > service. > > So updating DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones > zone for changing root servers is absolutely useless with bind-dlz > set up. BIND named will never look at the entries in this zone for > root domain hints. >What does the internal dns server do ? where does it get the root servers from ? Is there some reason not to use the 'RootDNSServers' zone with Bind9 ? Rowland
On Thu, Jun 8, 2017 at 7:40 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 8 Jun 2017 19:19:21 +1000 > Amitay Isaacs via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > Let me try to clear some confusion. > > > > On Tue, Jun 6, 2017 at 7:36 PM, Torsten Kurbad via samba < > > samba at lists.samba.org> wrote: > > > Samba's bind-dlz module does not export root hints to BIND named. So > > the error you are seeing is an issue with your bind configuration. > > > > Please check your named configuration and you will find an entry like: > > > > zone "." IN { > > type hint; > > file "db.root; > > }; > > > > This tells named to use the entries from db.root file as hints on the > > root (.) domain. > > > > If you look at the output from bind-dlz module, it will something > > like: > > > > 08-Jun-2017 18:59:51.134 samba_dlz: started for DN > > DC=lindom,DC=example,DC=local > > 08-Jun-2017 18:59:51.134 samba_dlz: starting configure > > 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone > > 'lindom.example.local' > > 08-Jun-2017 18:59:51.136 samba_dlz: configured writeable zone > > '_msdcs.lindom.example.local' > > > > This tells that named will use bind_dlz module for 2 zones > > (lindom.example.local and _msdcs.lindom.example.local). > > > > Yes, this is what happens for me, along with the reverse zone. > > > > > > > The only reason for keeping the RootDNSServers zone in the AD > > database is to interoperate with windows AD server running DNS > > service. > > > > So updating DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones > > zone for changing root servers is absolutely useless with bind-dlz > > set up. BIND named will never look at the entries in this zone for > > root domain hints. > > > > What does the internal dns server do ? where does it get the root > servers from ? >Samba's internal dns server is an authoritative dns server and it's not a recursive resolver. It will resolve names only for the domains defined in AD database. If you want to use internal dns server as a recursive resolver, then you have to provide a dns server which does actual resolving (samba configuration option "dns forwarder"). Then internal dns server will forward all the queries which it cannot resolve using the domains in the AD database to this dns server.> Is there some reason not to use the 'RootDNSServers' zone with Bind9 ? >Is there some reason why BIND should? The root dns servers are fairly static. Amitay.
On Thu, 8 Jun 2017 22:45:11 +1000 Amitay Isaacs <amitay at gmail.com> wrote:> > What does the internal dns server do ? where does it get the root > > servers from ? > > > > Samba's internal dns server is an authoritative dns server and it's > not a recursive resolver. It will resolve names only for the domains > defined in AD database. > > If you want to use internal dns server as a recursive resolver, then > you have to provide a dns server which does actual resolving (samba > configuration option "dns forwarder"). Then internal dns server will > forward all the queries which it cannot resolve using the domains in > the AD database to this dns server.Bind9 needs forwarders setting as well> > > > Is there some reason not to use the 'RootDNSServers' zone with > > Bind9 ? > > > > Is there some reason why BIND should? The root dns servers are fairly > static. >It seems strange to have the zone in AD and not use it and I have never seen it documented anywhere that it isn't used by either of the DNS servers. Rowland