Univention Bugzilla – Bug 57002
dns/backend=ldap NS record delegation not working when dns/forwarder{1,2,3} is set
Last modified: 2024-01-29 09:36:27 CET
Sub-zone delegation with NS records with UCRV dns/backend=ldap does not work. Setup: 1. Two server not in same domain; server 2 delegates "sub" to sever 1 2. Server 1 (10.200.17.21) - hosting delegated sub-zone "sub.phahn50.qa") ```sh DNS='phahn50.qa' IP=10.200.17.21 NAME='dc21' # IP and name of delegated server eval "$(ucr shell)" udm dns/forward_zone create \ --position "cn=dns,$ldap_base" \ --set zone="sub.$DNS" \ --set nameserver="$NAME.sub.$DNS." \ --set contact=hahn@univention.de udm dns/host_record create \ --superordinate "zoneName=sub.$DNS.qa,dc=$ldap_base" \ --set name="$NAME" \ --set a="$IP" ``` 3. Server 2 - delegating sub-zone "sub.phahn50.qa" ```sh DNS='phahn50.qa' IP=10.200.17.21 NAME='dc21' # IP and name of delegated server eval "$(ucr shell)" udm dns/host_record create \ --superordinate "zoneName=$DNS,cn=dns,$ldap_base" \ --set name="$NAME.sub" \ --set a="$IP" udm dns/ns_record create \ --superordinate "zoneName=$DNS,cn=dns,$ldap_base" \ --set zone=sub \ --set nameserver="$NAME.sub.$DNS." ``` - On the delegated server 2 everything works: - ask LDAP BIND: ```console # dig -p 7777 @127.0.0.1 sub.$DNS. soa ;sub.phahn50.qa. IN SOA sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig -p 7777 @127.0.0.1 sub.$DNS. ns ;sub.phahn50.qa. IN NS sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig -p 7777 @127.0.0.1 $NAME.sub.$DNS. a ;dc21.sub.phahn50.qa. IN A dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. # dig -p 7777 @127.0.0.1 sub.$DNS. axfr sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 ``` - ask proxy BIND: ```console # dig @127.0.0.1 sub.$DNS. soa ;sub.phahn50.qa. IN SOA sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig @127.0.0.1 sub.$DNS. ns ;sub.phahn50.qa. IN NS sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig @127.0.0.1 $NAME.sub.$DNS. a ;dc21.sub.phahn50.qa. IN A dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. # dig @127.0.0.1 sub.$DNS. axfr sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 ``` - On the delegating server 1 remote querying works: - ask remote LDAP BIND: ```console # dig -p 7777 @$IP sub.$DNS. soa ;sub.phahn50.qa. IN SOA sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig -p 7777 @$IP sub.$DNS. ns ;sub.phahn50.qa. IN NS sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig -p 7777 @$IP $NAME.sub.$DNS. a ;dc21.sub.phahn50.qa. IN A dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. # dig -p 7777 @$IP sub.$DNS. axfr sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 ``` - ask remote proxy BIND: ```console # dig @$IP sub.$DNS. soa ;sub.phahn50.qa. IN SOA sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig @$IP sub.$DNS. ns ;sub.phahn50.qa. IN NS sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig @$IP $NAME.sub.$DNS. a ;dc21.sub.phahn50.qa. IN A dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. # dig @$IP sub.$DNS. axfr sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 ``` - ask local LDAP BIND: query works, AXFR *fails* ```console # dig -p 7777 @127.0.0.1 sub.$DNS. soa ;sub.phahn50.qa. IN SOA sub.phahn50.qa. 10800 IN SOA dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig -p 7777 @127.0.0.1 sub.$DNS. ns ;sub.phahn50.qa. IN NS sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 # dig -p 7777 @127.0.0.1 $NAME.sub.$DNS. a ;dc21.sub.phahn50.qa. IN A dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 10800 IN NS dc21.sub.phahn50.qa. # dig -p 7777 @127.0.0.1 sub.$DNS. axfr ; Transfer failed. ``` - ask local proxy BIND *FAILS*: ```console # dig -p 7777 @127.0.0.1 sub.$DNS. axfr ; Transfer failed. # dig @127.0.0.1 sub.$DNS. soa ;sub.phahn50.qa. IN SOA # dig @127.0.0.1 sub.$DNS. ns ;sub.phahn50.qa. IN NS # dig @127.0.0.1 $NAME.sub.$DNS. a ;dc21.sub.phahn50.qa. IN A # dig @127.0.0.1 sub.$DNS. axfr ; Transfer failed. ``` this is expected as the AXFR for LDAP-BIND already fails, so the proxy-BIND is never able to cache that zone. The NS and glue-A-records are there, but the are not working as expected: ```console # dig -p 7777 @127.0.0.1 $DNS. axfr | grep -F sub.$DNS dc21.sub.phahn50.qa. 10800 IN A 10.200.17.21 sub.phahn50.qa. 79200 IN NS dc21.sub.phahn50.qa. ```
It works when *fowarding* is disabled (`ucr unset dns/forwarder{1,2,3}`), in which case BIND9 does recursive resolving starting from the root zone itself.