samba - Jun 2019 - Problem after deleting a DNS zone

El mi?., 26 jun. 2019 a las 14:48, Rowland penny via samba (<
samba at lists.samba.org>) escribi?:
> On 26/06/2019 18:36, Sergio Belkin via samba wrote:
> > I've seen this behaviour:
> >
> > 1. Create a new DNS zone,eg: example.com
> Where did you create the zone ?
> > 2. Create a independent DNS server that is now authoritative to
> example.com
> This sounds like you recreated the 'example.com' zone again on
another
> DNS server that is external to the Samba AD DC
> > 3. On samba delete the example.com zone with samba-tool samba-tool dns
> > delete.....
> >
> > The result is that using samba as DNS server it does not resolve
> example.com
> > through recursive query and fails
> It wouldn't resolve 'example.com' would it, you have just
deleted all
> the zone records.
> >
> > Am I the only one with issue? I've found a workaround runninf:
> >
> > samba-tool dbcheck --cross-ncs --fix and then restarting the service
> >
> > but it would nice that that was fixed. Or is there a proper way of
> deleting
> > zones that I don't know?
> No, you are deleting the zone in the correct way, providing it isn't
the
> AD dns domain. Your DC's should be authoritative for the AD dns domain
> and forward anything unknown to an external DNS server.
>
> Rowland
>
>
So is this a bug? it would be great is someone try to reproduce it...
Greets

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

On 26/06/2019 18:59, Sergio Belkin via samba wrote:
> El mi?., 26 jun. 2019 a las 14:48, Rowland penny via samba (<
> samba at lists.samba.org>) escribi?:
>
>> On 26/06/2019 18:36, Sergio Belkin via samba wrote:
>>> I've seen this behaviour:
>>>
>>> 1. Create a new DNS zone,eg: example.com
>> Where did you create the zone ?
>>> 2. Create a independent DNS server that is now authoritative to
>> example.com
>> This sounds like you recreated the 'example.com' zone again on
another
>> DNS server that is external to the Samba AD DC
>>> 3. On samba delete the example.com zone with samba-tool samba-tool
dns
>>> delete.....
>>>
>>> The result is that using samba as DNS server it does not resolve
>> example.com
>>> through recursive query and fails
>> It wouldn't resolve 'example.com' would it, you have just
deleted all
>> the zone records.
>>> Am I the only one with issue? I've found a workaround runninf:
>>>
>>> samba-tool dbcheck --cross-ncs --fix and then restarting the
service
>>>
>>> but it would nice that that was fixed. Or is there a proper way of
>> deleting
>>> zones that I don't know?
>> No, you are deleting the zone in the correct way, providing it
isn't the
>> AD dns domain. Your DC's should be authoritative for the AD dns
domain
>> and forward anything unknown to an external DNS server.
>>
>> Rowland
>>
>>
> So is this a bug? it would be great is someone try to reproduce it...
> Greets
>
I do not think so, it might help if you answered the question I asked, 
where did you create the zone and I suppose why ?

What is your AD dns domain ?

What dns server are you using ? the internal dns server or Bind9 ?

Rowland

On 27/06/2019 11:22, Sergio Belkin wrote:
> El mi?., 26 jun. 2019 a las 15:11, Rowland penny via samba 
> (<samba at lists.samba.org <mailto:samba at lists.samba.org>>)
escribi?:
>
>     On 26/06/2019 18:59, Sergio Belkin via samba wrote:
>     > El mi?., 26 jun. 2019 a las 14:48, Rowland penny via samba (<
>     > samba at lists.samba.org <mailto:samba at
lists.samba.org>>) escribi?:
>     >
>     >> On 26/06/2019 18:36, Sergio Belkin via samba wrote:
>     >>> I've seen this behaviour:
>     >>>
>     >>> 1. Create a new DNS zone,eg: example.com
<http://example.com>
>     >> Where did you create the zone ?
>     >>> 2. Create a independent DNS server that is now
authoritative to
>     >> example.com <http://example.com>
>     >> This sounds like you recreated the 'example.com
>     <http://example.com>' zone again on another
>     >> DNS server that is external to the Samba AD DC
>     >>> 3. On samba delete the example.com
<http://example.com> zone
>     with samba-tool samba-tool dns
>     >>> delete.....
>     >>>
>     >>> The result is that using samba as DNS server it does not
resolve
>     >> example.com <http://example.com>
>     >>> through recursive query and fails
>     >> It wouldn't resolve 'example.com
<http://example.com>' would
>     it, you have just deleted all
>     >> the zone records.
>     >>> Am I the only one with issue? I've found a workaround
runninf:
>     >>>
>     >>> samba-tool dbcheck --cross-ncs --fix and then restarting
the
>     service
>     >>>
>     >>> but it would nice that that was fixed. Or is there a
proper way of
>     >> deleting
>     >>> zones that I don't know?
>     >> No, you are deleting the zone in the correct way, providing it
>     isn't the
>     >> AD dns domain. Your DC's should be authoritative for the
AD dns
>     domain
>     >> and forward anything unknown to an external DNS server.
>     >>
>     >> Rowland
>     >>
>     >>
>     > So is this a bug? it would be great is someone try to reproduce
>     it...
>     > Greets
>     >
>     I do not think so, it might help if you answered the question I
>     asked,
>     where did you create the zone and I suppose why ?
>
>
> Sorry! I overlooked it. I've created the zone on Samba server, because 
> I needed to replicate temporarily
>
>
>     What is your AD dns domain ?
>
>
> Let's say is another-example.com <http://another-example.com>
>
>
>     What dns server are you using ? the internal dns server or Bind9 ?
>
>
> I'm using the SAMBA4 server as DNS server. It's the internal dns
server.
>
Then I do not see what your problem is:

You have a Samba AD DC in the 'another-example.com' dns domain.

You added a zone called 'example.com'

You created a new DNS server for the 'example.com' dns domain

You deleted the 'example.com' zone from the AD DC.

At this point, unless you forward unknown dns queries to a DNS server 
that knows the 'example.com' dns domain, queries such as 'nslookup 
acomputer.example.com' will fail because your AD DC knows nothing about 
the 'example.com' dns domain.

Rowland

El jue., 27 jun. 2019 07:41, Rowland penny via samba <samba at
lists.samba.org>
escribi?:
> On 27/06/2019 11:22, Sergio Belkin wrote:
> > El mi?., 26 jun. 2019 a las 15:11, Rowland penny via samba
> > (<samba at lists.samba.org <mailto:samba at
lists.samba.org>>) escribi?:
> >
> >     On 26/06/2019 18:59, Sergio Belkin via samba wrote:
> >     > El mi?., 26 jun. 2019 a las 14:48, Rowland penny via samba
(<
> >     > samba at lists.samba.org <mailto:samba at
lists.samba.org>>) escribi?:
> >     >
> >     >> On 26/06/2019 18:36, Sergio Belkin via samba wrote:
> >     >>> I've seen this behaviour:
> >     >>>
> >     >>> 1. Create a new DNS zone,eg: example.com
<http://example.com>
> >     >> Where did you create the zone ?
> >     >>> 2. Create a independent DNS server that is now
authoritative to
> >     >> example.com <http://example.com>
> >     >> This sounds like you recreated the 'example.com
> >     <http://example.com>' zone again on another
> >     >> DNS server that is external to the Samba AD DC
> >     >>> 3. On samba delete the example.com
<http://example.com> zone
> >     with samba-tool samba-tool dns
> >     >>> delete.....
> >     >>>
> >     >>> The result is that using samba as DNS server it does
not resolve
> >     >> example.com <http://example.com>
> >     >>> through recursive query and fails
> >     >> It wouldn't resolve 'example.com
<http://example.com>' would
> >     it, you have just deleted all
> >     >> the zone records.
> >     >>> Am I the only one with issue? I've found a
workaround runninf:
> >     >>>
> >     >>> samba-tool dbcheck --cross-ncs --fix and then
restarting the
> >     service
> >     >>>
> >     >>> but it would nice that that was fixed. Or is there a
proper way
> of
> >     >> deleting
> >     >>> zones that I don't know?
> >     >> No, you are deleting the zone in the correct way,
providing it
> >     isn't the
> >     >> AD dns domain. Your DC's should be authoritative for
the AD dns
> >     domain
> >     >> and forward anything unknown to an external DNS server.
> >     >>
> >     >> Rowland
> >     >>
> >     >>
> >     > So is this a bug? it would be great is someone try to
reproduce
> >     it...
> >     > Greets
> >     >
> >     I do not think so, it might help if you answered the question I
> >     asked,
> >     where did you create the zone and I suppose why ?
> >
> >
> > Sorry! I overlooked it. I've created the zone on Samba server,
because
> > I needed to replicate temporarily
> >
> >
> >     What is your AD dns domain ?
> >
> >
> > Let's say is another-example.com
<http://another-example.com>
> >
> >
> >     What dns server are you using ? the internal dns server or Bind9 ?
> >
> >
> > I'm using the SAMBA4 server as DNS server. It's the internal
dns server.
> >
> Then I do not see what your problem is:
>
> You have a Samba AD DC in the 'another-example.com' dns domain.
>
> You added a zone called 'example.com'
>
> You created a new DNS server for the 'example.com' dns domain
>
> You deleted the 'example.com' zone from the AD DC.
>
> At this point, unless you forward unknown dns queries to a DNS server
> that knows the 'example.com' dns domain, queries such as
'nslookup
> acomputer.example.com' will fail because your AD DC knows nothing about
> the 'example.com' dns domain.
>
I use google dns as fowarder to resolve anything else. It is as is SAMBA
would say: "I had data of example.com zone, but I haven't it now. I
can't
do nothing. Bye." :)
The expected I think is that it passes the query to forward unknown domains.

In fact the problem is gone away if I run samba-tool dbcheck --cross-ncs
--fix

If i misunderstood something, please let me to know it.



> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 000000000000000000000haf
>