Hi Michael,
I'm aware of the dns_update_cache file, and I saw it being generated when
starting samba service for the first time. However, I don't understand when
it gets updated.
For example, I have added an additional DC to my domain and moved the PDC role
to it for a while. So the line for PDC record was added to the file. Once I
removed the PDC role the line in the file is still there. I know I have to
manually remove the DNS record (there can only be one pointing to the current
role owner) but I expected that at least the dns_update_cache file would have
been updated. If it is created from the template file dns_update list the line
for PDC should have been removed. But it stays there even after service restart
and even now, after more than a day, it is there. What triggers a regeneration
of the dns_update_cache file? Any idea?
Thanks
Peter
________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Michael
Tokarev via samba <samba at lists.samba.org>
Sent: Thursday, December 19, 2024 11:31 AM
To: samba at lists.samba.org
Subject: [Samba] Keeping DNS out of Samba
Hi!
There has been a few questions on the samba mailing list, some of which
(eg https://bugzilla.samba.org/show_bug.cgi?id=14518) are reoccurring
often, some aren't.
And I, once again, want to remind that there's another approach to DNS
in samba, which avoids all these and many other issues, but it requires
a bit of work. The benefit is to have DNS under control again as in
the old good times.
The base for my setup is the fact that for an AD, the set of DNS records
which is required for operations, is actually static most of the time.
There are basically a few SRV records pointing at the DCs, which only
changes when the DCs changes, but for the rest of the operations, it
does not change in any way. And to manage this set of records, you
don't need samba internal DNS at all.
The other part - like dynamic DNS for workstation registration - is not
covered here, since we don't use it.
Samba "publishes" DNS records in an intermediate file on each server,
in /var/lib/samba/private/dns_update_cache -- this is the file it pushes
to dynamic DNS on every DNS update. It has format very similar to a
fragment of a regular zone file.
A combination of all these files from all servers of interest can be
fed into named or nsd or whatever DNS nameserver of choice with a
trivial script. And you have to keep this in mind when changing your
set of DCs (at least), - this part needs to be re-pushed to actual
nameserver after each next change (this can be automated by
replacing dns update script with something more appropriate).
Next, I've a trivial Makefile-based zone generation script which
combines these pieces into actual nameserver, adding dnssec records,
distributing to secondary servers, and all the other things you'd
expect from a real nameserver.
Once loaded int a regular nameserver of choice, and having this
nameserver of choice in /etc/resolv.conf (and only it, no samba internal
dns!), everything will work. With all the samba-specific DNS issues are
gone, too.
I understand some people on this list don't found this approach good,
but I haven't seen an explanation of their opinion, despite numerous
questions about this. To me, this is much more reliable, manageable
and bug- and hassle-free than using samba internal DNS. Especially
with "don't re-invent the wheel" theme, - named is a complex
thing,
it's unlikely samba will repeat it in a good way.
Thanks,
/mjt
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba