Bug 48529 – bind proxy (with ldap backend) does not resolve d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs like aliases

Bug 48529 - bind proxy (with ldap backend) does not resolve d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs like aliases


Summary:	bind proxy (with ldap backend) does not resolve d3047ed1-9494-4c5d-8771-9efe2...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	DNS
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-01-24 17:19 CET by Felix Botner
Modified:	2019-10-15 08:13 CEST (History)
CC List:	1 user (show)

See Also:	50361
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2019-01-24 17:19:57 CET

Master with samba dns/backend=samba and a backup with dns/backend=ldap

-> udm dns/alias  list --superordinate "zoneName=four.three,cn=dns,dc=four,dc=three"

DN: relativeDomainName=e09cffc3-0996-4253-ad19-886df62e05b3._msdcs,zoneName=four.three,cn=dns,dc=four,dc=three
  cname: master.four.three.
  name: e09cffc3-0996-4253-ad19-886df62e05b3._msdcs
  zonettl: 80600 seconds

DN: relativeDomainName=d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs,zoneName=four.three,cn=dns,dc=four,dc=three
  cname: backup.four.three.
  name: d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs
  zonettl: 3 hours


@master-> dig @10.200.7.160 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53

; <<>> DiG 9.10.3-P4-Univention <<>> @10.200.7.160 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three.	IN A

;; ANSWER SECTION:
e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three.	900 IN CNAME master.four.three.
master.four.three.	900	IN	A	10.200.7.160


@backup-> dig @10.200.7.161 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53

; <<>> DiG 9.10.3-P4-Univention <<>> @10.200.7.161 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three.	IN A

;; Query time: 4 msec
;; SERVER: 10.200.7.161#53(10.200.7.161)
;; WHEN: Thu Jan 24 16:31:02 CET 2019
;; MSG SIZE  rcvd: 83


strange thing is, this does not work

-> dig @127.0.0.1 a-b-c._msdcs.four.three -p 53
; <<>> DiG 9.10.3-P4-Univention <<>> @127.0.0.1 a-b-c._msdcs.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-b-c._msdcs.four.three.	IN	A

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 24 16:34:08 CET 2019
;; MSG SIZE  rcvd: 52

but this works

-> dig @127.0.0.1 a-b-c._def.four.three -p 53

; <<>> DiG 9.10.3-P4-Univention <<>> @127.0.0.1 a-b-c._def.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-b-c._def.four.three.		IN	A

;; ANSWER SECTION:
a-b-c._def.four.three.	10800	IN	CNAME	master.four.three.
master.four.three.	80600	IN	A	10.200.7.160

;; AUTHORITY SECTION:
four.three.		10800	IN	NS	backup.four.three.
four.three.		10800	IN	NS	master.four.three.

;; ADDITIONAL SECTION:
backup.four.three.	172800	IN	A	10.200.7.161

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 24 16:34:17 CET 2019
;; MSG SIZE  rcvd: 138

So, is there a special handling for "msdcs" in bind9?

(this work in UCS 4.2 [9.9.5.dfsg], but fails starting with 4.3-0 [9.10.3.dfsg.P4])


This is a bit annoying. During the samba setup in a backup the following happens

 * 96univention-samba4.inst samba provisioning
 * dns/backend still ldap
 * 98univention-samba4-dns.inst dns/backend is set to samba

so during the end of 96univention-samba4.inst and 98univention-samba4-dns.inst the special aliases like e09cffc3-0996-4253-ad19-886df62e05b3._msdcs are not resolvable therefore DRS replication is broken.

Comment 1 Arvid Requate

2019-10-15 08:13:40 CEST

Yes, _msdcs is handled specially in Samba/AD and OpenLDAP:

In Samba/AD _msdcs.${domainname} is a separate Zone, stored in ForestDNSZones in the backend.
There is a DNS glue record DC=_msdcs in the DC=${domainname} zone (under DomainDNSZones) too.
Research for Bug 50361 showed that the S4-Connector synchronizes the glue record to OpenLDAP.

Under OpenLDAP we don't have the zones separated, all records are in the ${domainname} zone.
The _msdcs glue record (it's a dns/ns_record in UDM) blocks bind9 from resolving
other *._msdcs records when dns/backend=ldap.

So I guess Bug 50361 and this one are caused by the same issue.