Bug 40139 - U@S4.1: Don't add schoolslaves as nameservers for the Forward Lookup Zone
U@S4.1: Don't add schoolslaves as nameservers for the Forward Lookup Zone
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.1
Other Linux
: P5 normal (vote)
: UCS@school 4.1 Errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
Depends on: 39384
  Show dependency treegraph
Reported: 2015-12-01 10:37 CET by Sönke Schwardt-Krummrich
Modified: 2016-01-13 13:10 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-12-01 10:37:19 CET
Please also fix this for UCS@school 4.1

+++ This bug was initially created as a clone of Bug #39384 +++

* UCS@school Multi-Server-Environment
* DC Master with Samba AD
* School-Slave with Samba AD
* UCS 4.0-3 Errata 320
* UCS@school 4.0 R2 v1

A UCS Domain Controller provides also DNS services and is therefore automatically added to the default Forward Lookup Zone as nameserver. This adds them to the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION (using dig). In a typical UCS domain, this is desired behaviour.
In a UCS@school multi-server environments, this is counterproductive.

Observed behaviour:
All schoolslaves are also added to the Forward Lookup Zone as nameservers and therefore show up in the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION. AFAIK this has two drawbacks: 
- Schoolslaves are shown as authoritative nameserver for other schools/networks. Imho this won't work. Usually they are not even reachable. 
- This easily blows the DNS UDP package, because with around 20 to 25 schoolslaves/nameservers, the answer is bigger than 512 bytes. The UDP package then gets truncated.
Workaround: Use TCP for DNS or extend the accepted package size (e.g. "dig +bufsize=1024 <FQDN>"

Expected behaviour:
- schoolslaves are not added to the Forward Lookup Zone as nameservers (or removed after installing UCS@school). Clients need to be configured with the correct DNS settings of this particular school anyway.
Comment 1 Daniel Tröder univentionstaff 2015-12-02 09:05:14 CET
66027: ucs-school-metapackage: remove schoolslaves as nameservers from the forward lookup zone, built in scope ucs-school-4.1
66029: univention-bind: prevent adding dc slave and in ucs@school environment as DNS server
66043: univention-bind.yaml: add build version 10.0.2-2.213.201512020900
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-12-14 13:29:45 CET
1) We should also skip the registration at reverse zones.

2) univention-bind should not check for a UCS@school package name. This produces  update problems if e.g. package names are changed in UCS@school. We should introduce a new UCR variable to disable the registration as additional authoritative nameserver.
The UCS@school meta-package may set the UCR variables:

ucr set dns/nameserver/registration/forward_zone=no \

and in 05univention-bind.inst the joinscript skips the registration at the corresponding forward/reverse zone. 

3) The join scripts of the meta packages (62ucs-school-slave.inst and 
62ucs-school-nonedu-slave.inst) should skip the removal of the corresponding dns zone entry if dns/nameserver/registration/(forward|reverse)_zone is empty or set to one of the "true" values.
So it is possible to override the default behaviour by forced-setting one/two UCR variables.

4) The join script version of 62ucs-school-slave.inst and 
62ucs-school-nonedu-slave.inst has to be bumped, so the removal of the dns zone entry is also performed on updates.

5) From xml changelog: "Domain controller slaves do not configure themselfs as DNS servers anymore" → this is not true. The DC slaves are not registered as authoritative DNS servers for the specific DNS forward/reverse zone. They are still valid DNS resolvers for clients.

Comment 3 Daniel Tröder univentionstaff 2015-12-15 13:37:20 CET
UCRVs dns/nameserver/registration/forward_zone and dns/nameserver/registration/reverse_zone now allow to disable the automatic registration as additional nameservers.

66343: univention-bind: add UCRVs
66344: ucs-school-metapackage: use UCRVs, also remove reverse zone, bump join script version
66345: univention-bind: update package version in advisory
66346: ucs-school-metapackage: set UCRVs
Comment 4 Daniel Tröder univentionstaff 2015-12-15 15:43:45 CET
Commit 66362 moves the setting of the UCRVs from the join scripts to the postinsts.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-12-17 00:51:46 CET
A customer already has removed all school slaves from list of authoritative nameservers. The list only contains two non-UCS@school-DC slave at central network. So far, no problems with Windows clients are known in that environment (Join, Logon, GPOs).

1) Slave is no longer added to forward/reverse zone by univention-bind if UCR variables are set to no.
2) Removal of nameserver entry in forward zone was successful.
3) Removal of nameserver entry in reverse zone failed → fixed via r66417
4) xml changelog entry is ok

@Daniel: please have a quick review of my last commit.
Comment 6 Daniel Tröder univentionstaff 2015-12-17 08:46:19 CET
(In reply to Sönke Schwardt-Krummrich from comment #5)
> 3) Removal of nameserver entry in reverse zone failed → fixed via r66417
> @Daniel: please have a quick review of my last commit.
Code looks fine and runs (thanks or the reversezone-fix).
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2015-12-17 10:33:41 CET
> 3) Removal of nameserver entry in reverse zone failed → fixed via r66417
Ok, also tested the package on my test machine.
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2015-12-21 16:24:53 CET
UCS@school 4.1 v2 has been released:

If this error occurs again, please use "Clone This Bug".
Comment 9 Janek Walkenhorst univentionstaff 2016-01-13 13:10:16 CET