Bug 39384 - Don't add schoolslaves as nameservers for the Forward Lookup Zone
Don't add schoolslaves as nameservers for the Forward Lookup Zone
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.0 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.0 R2 Errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
:
Depends on:
Blocks: 40139 40470
  Show dependency treegraph
 
Reported: 2015-09-22 15:12 CEST by Michael Grandjean
Modified: 2017-02-27 18:34 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-09-22 15:12:30 CEST
Setup:
* UCS@school Multi-Server-Environment
* DC Master with Samba AD
* School-Slave with Samba AD
* UCS 4.0-3 Errata 320
* UCS@school 4.0 R2 v1

General:
A UCS Domain Controller provides also DNS services and is therefore automatically added to the default Forward Lookup Zone as nameserver. This adds them to the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION (using dig). In a typical UCS domain, this is desired behaviour.
In a UCS@school multi-server environments, this is counterproductive.

Observed behaviour:
All schoolslaves are also added to the Forward Lookup Zone as nameservers and therefore show up in the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION. AFAIK this has two drawbacks: 
- Schoolslaves are shown as authoritative nameserver for other schools/networks. Imho this won't work. Usually they are not even reachable. 
- This easily blows the DNS UDP package, because with around 20 to 25 schoolslaves/nameservers, the answer is bigger than 512 bytes. The UDP package then gets truncated.
Workaround: Use TCP for DNS or extend the accepted package size (e.g. "dig +bufsize=1024 <FQDN>"

Expected behaviour:
- schoolslaves are not added to the Forward Lookup Zone as nameservers (or removed after installing UCS@school). Clients need to be configured with the correct DNS settings of this particular school anyway.
Comment 1 Michael Grandjean univentionstaff 2015-09-22 15:17:50 CEST
See also:
Bug #27043
Issue 3165
Comment 2 Michael Grandjean univentionstaff 2015-09-28 14:48:51 CEST
Obviously happens in 05univention-bind.inst:

>        # Append local server as DNS server to the zones
>        zone="$(udm dns/forward_zone list "$@" --filter "(&(zone=$domainname)(!(nameserver=${hostname}.${domainname}.)))" | sed -ne 's|DN: ||p')"
>        if [ -n "$zone" ]; then
>                udm dns/forward_zone modify "$@" --dn "$zone" --append nameserver="${hostname}.${domainname}."
>        fi
Comment 3 Daniel Tröder univentionstaff 2015-12-02 09:05:07 CET
66024: univention-bind: prevent adding dc slave and in ucs@school environment as DNS server, built in scope ucs-school-4.0r2
66026: ucs-school-metapackage: remove schoolslaves as nameservers from the forward lookup zone
66043: univention-bind.yaml: add build version 9.0.5-4.212.201512020859
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2015-12-14 13:28:28 CET
(In reply to Daniel Tröder from comment #3)
> 66024: univention-bind: prevent adding dc slave and in ucs@school
> environment as DNS server, built in scope ucs-school-4.0r2
> 66026: ucs-school-metapackage: remove schoolslaves as nameservers from the
> forward lookup zone
> 66043: univention-bind.yaml: add build version 9.0.5-4.212.201512020859

1) We should also skip the registration at reverse zones.

2) univention-bind should not check for a UCS@school package name. This produces  update problems if e.g. package names are changed in UCS@school. We should introduce a new UCR variable to disable the registration as additional authoritative nameserver.
The UCS@school meta-package may set the UCR variables:

ucr set dns/nameserver/registration/forward_zone=no \
        dns/nameserver/registration/reverse_zone=no

and in 05univention-bind.inst the joinscript skips the registration at the corresponding forward/reverse zone. 

3) The join scripts of the meta packages (62ucs-school-slave.inst and 
62ucs-school-nonedu-slave.inst) should skip the removal of the corresponding dns zone entry if dns/nameserver/registration/(forward|reverse)_zone is empty or set to one of the "true" values.
So it is possible to override the default behaviour by forced-setting one/two UCR variables.

4) The join script version of 62ucs-school-slave.inst and 
62ucs-school-nonedu-slave.inst has to be bumped, so the removal of the dns zone entry is also performed on updates.

5) From xml changelog: "Domain controller slaves do not configure themselfs as DNS servers anymore" → this is not true. The DC slaves are not registered as authoritative DNS servers for the specific DNS forward/reverse zone. They are still valid DNS resolvers for clients.

→ REOPEN
Comment 5 Daniel Tröder univentionstaff 2015-12-15 13:36:40 CET
UCRVs dns/nameserver/registration/forward_zone and dns/nameserver/registration/reverse_zone now allow to disable the automatic registration as additional nameservers.

66341: univention-bind: add UCRVs
66342: ucs-school-metapackage: use UCRVs, also remove reverse zone, bump join script version
66345: univention-bind: update package version in advisory
66346: ucs-school-metapackage: set UCRVs
Comment 6 Daniel Tröder univentionstaff 2015-12-15 15:44:00 CET
Commit 66361 moves the setting of the UCRVs from the join scripts to the postinsts.
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2015-12-17 01:23:15 CET
A customer already has removed all school slaves from list of authoritative nameservers. The list only contains two non-UCS@school-DC slave at central network. So far, no problems with Windows clients are known in that environment (Join, Logon, GPOs).

1) Slave is no longer added to forward/reverse zone by univention-bind if UCR variables are set to no.
2) Removal of nameserver entry in forward zone was successful.
3) Removal of nameserver entry in reverse zone failed → fixed via r66418
4) xml changelog entry is ok

@Daniel: please have a quick review of my last commit.
Comment 8 Daniel Tröder univentionstaff 2015-12-17 08:46:11 CET
(In reply to Sönke Schwardt-Krummrich from comment #5)
> 3) Removal of nameserver entry in reverse zone failed → fixed via r66417
> @Daniel: please have a quick review of my last commit.
Code looks fine and runs (thanks or the reversezone-fix, good idea to copy the is_ucr_false code to 4.0).
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2015-12-17 10:34:00 CET
(In reply to Sönke Schwardt-Krummrich from comment #5)
> 3) Removal of nameserver entry in reverse zone failed → fixed via r66417
Ok, also tested the package on my test machine.
→ VERIFIED
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2015-12-21 16:26:07 CET
UCS@school 4.0 R2 v4 has been released:
http://docs.univention.de/release-notes-ucsschool-4.0R2v4-de.html

If this error occurs again, please use "Clone This Bug".
Comment 11 Janek Walkenhorst univentionstaff 2016-01-12 12:30:56 CET
<http://errata.software-univention.de/ucs/4.0/378.html>