On Thu, 2022-02-17 at 19:17 +0100, Stefan Kania via samba
wrote:> Error verifying signature: parse error
> --------------ms090101010402010002060905
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> I know that the revers-recorords are not created automatically. We
> created the revers-zone by hand and also the PTR-records where
> entered
> by hand (only DCs and servers). That's not the problem, because this
> is
> the same with the internal DNS. BUT the internal DNS is working
> without
> any NS-Record, but the bind9 will not start if the NS-record is
> missing.
>
> I think at least the DC with the FSMO-roles should be automatically
> put
> in every revers-zone as NS-record, then everything would be fine.
I do not think you have identified the cause correctly. I have had this
problem a few times over the years. Now I think about it, it was always
when I added new DC's to the domain and demoted the old ones. I run
Bind9 and all I did to fix the problem was to delete the old reverse
zone and then recreate it, I did not revert to the internal dns server.
After thinking about this, I think the problem is that when adding a
new DC, its dns data is not added to the reversezones SOA and possibly
it isn't removed when a DC is demoted.
Rowland