samba - Feb 2021 - Conflict entries in DNS with DHCP and dynamic DNS updates 

It is about DNS updates through the ISC DHCP server failover cluster in a Samba
4 Active Directory environment. I have implemented this as described in the
Samba wiki
(https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9).

The failover works fine from the outside. However, the script (I use version
0.9.2) is executed on both servers at the same time (event "on
commit"). This has the effect that a DNS record is created on both servers
at the same time, if it did not already exist. This creates "conflict
records" in both the forward and reverse zones, which the DNS then resolves
so that one of them appears as hostname\nCNF:UID or ip-address\nCNF:UID in the
forward zone or reverse zone, respectively.

The name resolution in both directions works, because the correct entries are in
the DNS. However, the "useless" CNF entries remain. What can I set or
check? How can I prevent these CNF entries? I have not found an answer yet.

These are the operating systems and versions of the software packages involved:
Server operating system: Ubuntu 16.04.7 LTS
Samba: Version 4.3.11-Ubuntu
DNS: BIND 9.10.3-P4-Ubuntu
DHCP: ISC DHCP Server version 4.3.3
Operating system of DHCP clients: Windows 10 1909 (DHCP updates by clients are
disabled)

Regards, Sambafan
P

On 18/02/2021 18:16, Samba Fan via samba wrote:
> It is about DNS updates through the ISC DHCP server failover cluster in a
Samba 4 Active Directory environment. I have implemented this as described in
the Samba wiki
(https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9).
>
> The failover works fine from the outside. However, the script (I use
version 0.9.2) is executed on both servers at the same time (event "on
commit"). This has the effect that a DNS record is created on both servers
at the same time, if it did not already exist. This creates "conflict
records" in both the forward and reverse zones, which the DNS then resolves
so that one of them appears as hostname\nCNF:UID or ip-address\nCNF:UID in the
forward zone or reverse zone, respectively.
>
> The name resolution in both directions works, because the correct entries
are in the DNS. However, the "useless" CNF entries remain. What can I
set or check? How can I prevent these CNF entries? I have not found an answer
yet.
>
> These are the operating systems and versions of the software packages
involved:
> Server operating system: Ubuntu 16.04.7 LTS
> Samba: Version 4.3.11-Ubuntu
> DNS: BIND 9.10.3-P4-Ubuntu
> DHCP: ISC DHCP Server version 4.3.3
> Operating system of DHCP clients: Windows 10 1909 (DHCP updates by clients
are disabled)
>
> Regards, Sambafan
> P
>
Check how you have setup the failover, both dhcp servers shouldn't reply.

Rowland

I have the same here with isc-dhcpd-4.4.1 on Debian/RapsberryOS.

I think it's is a bug in the ISC DHCP server when it runs in failover
pair mode:

Whenever a node asks for a lease and that node is already known to both
DHCP servers then both send a response (luckily the same response), and
as a consequence both DHCP servers send an update do DNS.

If a node with a still unknown MAC address asks for a lease the very
first time then only one of the two servers responds.

Do you see the same behaviour?

Regards,
Norbert

On 18.02.2021 19:16, Samba Fan via samba wrote:
> It is about DNS updates through the ISC DHCP server failover cluster in a
Samba 4 Active Directory environment. I have implemented this as described in
the Samba wiki
(https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9).
>
> The failover works fine from the outside. However, the script (I use
version 0.9.2) is executed on both servers at the same time (event "on
commit"). This has the effect that a DNS record is created on both servers
at the same time, if it did not already exist. This creates "conflict
records" in both the forward and reverse zones, which the DNS then resolves
so that one of them appears as hostname\nCNF:UID or ip-address\nCNF:UID in the
forward zone or reverse zone, respectively.
>
> The name resolution in both directions works, because the correct entries
are in the DNS. However, the "useless" CNF entries remain. What can I
set or check? How can I prevent these CNF entries? I have not found an answer
yet.
>
> These are the operating systems and versions of the software packages
involved:
> Server operating system: Ubuntu 16.04.7 LTS
> Samba: Version 4.3.11-Ubuntu
> DNS: BIND 9.10.3-P4-Ubuntu
> DHCP: ISC DHCP Server version 4.3.3
> Operating system of DHCP clients: Windows 10 1909 (DHCP updates by clients
are disabled)
>
> Regards, Sambafan
> P
>