You really should do this differenly..
Because..
A working DNS domain should be established with forward and
reverse mappings to at least the Kerberos KDC (Samba-DC's)
and application servers you intend to Kerberize.
If you use bind_DLZ as your doing and you want other zones sync to
an other domain and you have bind running, as your have..
Why not use master/slave setup of bind9 todo that.
So that keeps the question, why is "suddenly" differently.
My "guess" is, latest change "security fix" of bind fixed
something,
Which now is your problem.
See Debian LTS: DLA-2647-1: bind9
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: woensdag 9 juni 2021 16:19
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Strange DNS issue...
>
>
> Samba 4.9.18+dfsg-0.1stretch1, Louis package, i know i need
> to upgrade.
> A domain, 6 DC.
>
> I've still a separate DNS/DHCP setup, so client get DHCP and DNS
> addesses from another servers, in a different domain.
> Clearly, they have also a (forward) domain DNS name.
>
> Suddenly, by some days, i've some strange DNS issue. An example:
>
> Machine 'wilkie' boot and get addresses from primary DNS/DHCP
setup:
>
> Jun 9 08:31:10 vdmsv1 dhcpd[23742]: DHCPOFFER on 10.5.2.220
> to 34:64:a9:1c:1e:4a (WILKIE) via eth0
> Jun 9 08:31:10 vdmsv1 named[10040]: client
> 127.0.0.1#31176/key sanvito: updating zone
> 'dyn.sv.lnf.it/IN': adding an RR at 'WILKIE.dyn.sv.lnf.it'
A
> 10.5.2.220
> Jun 9 08:31:10 vdmsv1 named[10040]: client
> 127.0.0.1#31176/key sanvito: updating zone
> 'dyn.sv.lnf.it/IN': adding an RR at 'WILKIE.dyn.sv.lnf.it'
> TXT "318a9edb2b4f1eac9e8b7e1d6e41f75b84"
> Jun 9 08:31:10 vdmsv1 dhcpd[23742]: DHCPREQUEST for
> 10.5.2.220 (10.5.1.3) from 34:64:a9:1c:1e:4a (WILKIE) via eth0
> Jun 9 08:31:10 vdmsv1 dhcpd[23742]: DHCPACK on 10.5.2.220
> to 34:64:a9:1c:1e:4a (WILKIE) via eth0
> Jun 9 08:31:10 vdmsv1 dhcpd[23742]: Added new forward map
> from WILKIE.dyn.sv.lnf.it to 10.5.2.220
> Jun 9 08:31:10 vdmsv1 named[10040]: client
> 127.0.0.1#31176/key sanvito: updating zone
> '2.5.10.in-addr.arpa/IN': adding an RR at
> '220.2.5.10.in-addr.arpa' PTR WILKIE.dyn.sv.lnf.it.
> Jun 9 08:31:11 vdmsv1 dhcpd[23742]: Added reverse map from
> 220.2.5.10.in-addr.arpa. to WILKIE.dyn.sv.lnf.it
> Jun 9 08:36:11 vdmsv1 dhcpd[23742]: DHCPREQUEST for
> 10.5.2.220 from 34:64:a9:1c:1e:4a (WILKIE) via eth0
> Jun 9 08:36:11 vdmsv1 dhcpd[23742]: DHCPACK on 10.5.2.220
> to 34:64:a9:1c:1e:4a (WILKIE) via eth0
> [...]
>
> At the same time, client register itself in domain DNS, on site
'SV',
> indeed with correct IP:
>
> Jun 9 08:31:13 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.1-4114.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:13 vdcsv1 named[664]: client
> 10.5.2.220#52285/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting an RR at WILKIE.ad.fvg.lnf.it A
> Jun 9 08:31:13 vdcsv1 named[664]: samba_dlz: subtracted
> rdataset WILKIE.ad.fvg.lnf.it
> 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.103'
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#50264/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'WILKIE.ad.fvg.lnf.it' AAAA
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#50264/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'WILKIE.ad.fvg.lnf.it' A
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#50264/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': adding an RR at
'WILKIE.ad.fvg.lnf.it'
> A 10.5.2.220
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset
> WILKIE.ad.fvg.lnf.it
> 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#53932/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'WILKIE.ad.fvg.lnf.it' AAAA
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#53932/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'WILKIE.ad.fvg.lnf.it' A
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: subtracted
> rdataset WILKIE.ad.fvg.lnf.it
> 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#53932/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': adding an RR at
'WILKIE.ad.fvg.lnf.it'
> A 10.5.2.220
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset
> WILKIE.ad.fvg.lnf.it
> 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing
> update of signer=WILKIE\$\@AD.FVG.LNF.IT
> name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
> key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#63100/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'WILKIE.ad.fvg.lnf.it' AAAA
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#63100/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'WILKIE.ad.fvg.lnf.it' A
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: subtracted
> rdataset WILKIE.ad.fvg.lnf.it
> 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
> Jun 9 08:31:14 vdcsv1 named[664]: client
> 10.5.2.220#63100/key WILKIE\$\@AD.FVG.LNF.IT: updating zone
> 'ad.fvg.lnf.it/NONE': adding an RR at
'WILKIE.ad.fvg.lnf.it'
> A 10.5.2.220
> Jun 9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset
> WILKIE.ad.fvg.lnf.it
> 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>
>
> If now i query DNS in their site, i get correct result:
>
> gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it
> @vdcsv1.ad.fvg.lnf.it | grep ^wilkie
> wilkie.ad.fvg.lnf.it. 1200 IN A 10.5.2.220
> gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it
> @vdcsv2.ad.fvg.lnf.it | grep ^wilkie
> wilkie.ad.fvg.lnf.it. 1200 IN A 10.5.2.220
>
> but if i query DNS for other site DCs, i get incorrect result:
>
> gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it
> @vdcpp1.ad.fvg.lnf.it | grep ^wilkie
> wilkie.ad.fvg.lnf.it. 1200 IN A 10.5.2.57
> gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it
> @vdcpp2.ad.fvg.lnf.it | grep ^wilkie
> wilkie.ad.fvg.lnf.it. 1200 IN A 10.5.2.171
> gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it
> @vdc3t1.ad.fvg.lnf.it | grep ^wilkie
> wilkie.ad.fvg.lnf.it. 1200 IN A 10.5.2.57
> gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it
> @vdctms1.ad.fvg.lnf.it | grep ^wilkie
> wilkie.ad.fvg.lnf.it. 1200 IN A 10.5.2.57
>
>
> Note that basic things like 'samba-tool drs showrepl' and
> 'samba-tool ldapcmp ldap://vdcsv1 ldap://vdcpp2 -U Administrator'
show
> no replication differences or errors.
>
>
> What happens?! Thanks.
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bont?, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>