Univention Bugzilla – Bug 39384
Don't add schoolslaves as nameservers for the Forward Lookup Zone
Last modified: 2017-02-27 18:34:14 CET
Setup: * UCS@school Multi-Server-Environment * DC Master with Samba AD * School-Slave with Samba AD * UCS 4.0-3 Errata 320 * UCS@school 4.0 R2 v1 General: A UCS Domain Controller provides also DNS services and is therefore automatically added to the default Forward Lookup Zone as nameserver. This adds them to the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION (using dig). In a typical UCS domain, this is desired behaviour. In a UCS@school multi-server environments, this is counterproductive. Observed behaviour: All schoolslaves are also added to the Forward Lookup Zone as nameservers and therefore show up in the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION. AFAIK this has two drawbacks: - Schoolslaves are shown as authoritative nameserver for other schools/networks. Imho this won't work. Usually they are not even reachable. - This easily blows the DNS UDP package, because with around 20 to 25 schoolslaves/nameservers, the answer is bigger than 512 bytes. The UDP package then gets truncated. Workaround: Use TCP for DNS or extend the accepted package size (e.g. "dig +bufsize=1024 <FQDN>" Expected behaviour: - schoolslaves are not added to the Forward Lookup Zone as nameservers (or removed after installing UCS@school). Clients need to be configured with the correct DNS settings of this particular school anyway.
See also: Bug #27043 Issue 3165
Obviously happens in 05univention-bind.inst: > # Append local server as DNS server to the zones > zone="$(udm dns/forward_zone list "$@" --filter "(&(zone=$domainname)(!(nameserver=${hostname}.${domainname}.)))" | sed -ne 's|DN: ||p')" > if [ -n "$zone" ]; then > udm dns/forward_zone modify "$@" --dn "$zone" --append nameserver="${hostname}.${domainname}." > fi
66024: univention-bind: prevent adding dc slave and in ucs@school environment as DNS server, built in scope ucs-school-4.0r2 66026: ucs-school-metapackage: remove schoolslaves as nameservers from the forward lookup zone 66043: univention-bind.yaml: add build version 9.0.5-4.212.201512020859
(In reply to Daniel Tröder from comment #3) > 66024: univention-bind: prevent adding dc slave and in ucs@school > environment as DNS server, built in scope ucs-school-4.0r2 > 66026: ucs-school-metapackage: remove schoolslaves as nameservers from the > forward lookup zone > 66043: univention-bind.yaml: add build version 9.0.5-4.212.201512020859 1) We should also skip the registration at reverse zones. 2) univention-bind should not check for a UCS@school package name. This produces update problems if e.g. package names are changed in UCS@school. We should introduce a new UCR variable to disable the registration as additional authoritative nameserver. The UCS@school meta-package may set the UCR variables: ucr set dns/nameserver/registration/forward_zone=no \ dns/nameserver/registration/reverse_zone=no and in 05univention-bind.inst the joinscript skips the registration at the corresponding forward/reverse zone. 3) The join scripts of the meta packages (62ucs-school-slave.inst and 62ucs-school-nonedu-slave.inst) should skip the removal of the corresponding dns zone entry if dns/nameserver/registration/(forward|reverse)_zone is empty or set to one of the "true" values. So it is possible to override the default behaviour by forced-setting one/two UCR variables. 4) The join script version of 62ucs-school-slave.inst and 62ucs-school-nonedu-slave.inst has to be bumped, so the removal of the dns zone entry is also performed on updates. 5) From xml changelog: "Domain controller slaves do not configure themselfs as DNS servers anymore" → this is not true. The DC slaves are not registered as authoritative DNS servers for the specific DNS forward/reverse zone. They are still valid DNS resolvers for clients. → REOPEN
UCRVs dns/nameserver/registration/forward_zone and dns/nameserver/registration/reverse_zone now allow to disable the automatic registration as additional nameservers. 66341: univention-bind: add UCRVs 66342: ucs-school-metapackage: use UCRVs, also remove reverse zone, bump join script version 66345: univention-bind: update package version in advisory 66346: ucs-school-metapackage: set UCRVs
Commit 66361 moves the setting of the UCRVs from the join scripts to the postinsts.
A customer already has removed all school slaves from list of authoritative nameservers. The list only contains two non-UCS@school-DC slave at central network. So far, no problems with Windows clients are known in that environment (Join, Logon, GPOs). 1) Slave is no longer added to forward/reverse zone by univention-bind if UCR variables are set to no. 2) Removal of nameserver entry in forward zone was successful. 3) Removal of nameserver entry in reverse zone failed → fixed via r66418 4) xml changelog entry is ok @Daniel: please have a quick review of my last commit.
(In reply to Sönke Schwardt-Krummrich from comment #5) > 3) Removal of nameserver entry in reverse zone failed → fixed via r66417 > @Daniel: please have a quick review of my last commit. Code looks fine and runs (thanks or the reversezone-fix, good idea to copy the is_ucr_false code to 4.0).
(In reply to Sönke Schwardt-Krummrich from comment #5) > 3) Removal of nameserver entry in reverse zone failed → fixed via r66417 Ok, also tested the package on my test machine. → VERIFIED
UCS@school 4.0 R2 v4 has been released: http://docs.univention.de/release-notes-ucsschool-4.0R2v4-de.html If this error occurs again, please use "Clone This Bug".
<http://errata.software-univention.de/ucs/4.0/378.html>