Univention Bugzilla – Bug 40497
UCS 4.1: DNS with LDAP backend doesn't start if zone has incorrect nameserver
Last modified: 2018-04-13 13:32:34 CEST
Also seen at Ticket#2016011321001056 The customer deleted the UDM object of a UCS DC that includes it's DNS Host entrys ("A-record"). The "nameserver" reference a DC typically has in it's primary DNS Zone was not deleted by default. The "ldapentries" were not replicated to bind anymore, till the nameserver reference is deleted. Abstract of log: 25.01.16 12:48:41.279 LISTENER ( INFO ) : DNS: Zones: ['43.200.10.in-addr.arpa', 'ucs.example.de'] 25.01.16 12:48:41.279 LISTENER ( INFO ) : DNS: Doing reload 25.01.16 12:48:41.279 LISTENER ( INFO ) : DNS: Reloading zone 43.200.10.in-addr.arpa 25.01.16 12:48:41.280 LISTENER ( INFO ) : DNS: Reloading zone ucs.example.de zone refresh queued zone refresh queued rndc: 'reload' failed: bad zone zone reload successful 25.01.16 12:48:42.282 LISTENER ( WARN ) : DNS: 25001="rndc -p 55555 reload ucs.example.de" exited with 1 25.01.16 12:48:42.282 LISTENER ( INFO ) : postrun handler: udm_extension (prepared=0) +++ This bug was initially created as a clone of Bug #33707 +++ Reported by a customer, maybe related/duplicate to Bug #28363: If the "nameserver"-entry of a zone contains a non existing FQDN (in the reported case the customer deleted the UDM object of a UCS DC and it's A-record), the zone transfer fails. Once BIND is stopped (maybe by logrotate) it doesn't start anymore until the wrong entry is removed. Systems with Samba4 backend are working fine.
BIND refuses to load/transfer a broken zone, e.g. a zone which has NS RRs which BIND can't resolve to an A/AAA address. See <http://sdb.univention.de/content/20/254/en/bind-zone-transfer-failed.html> It does not work with backend=ldap, as there the frontent-DNS needs to fetch the DNS zone from the backend-DNS-proxy on TCP port 7777, which then is wrong. Because of that all updates stop working until the broken NS RR is removed. *** This bug has been marked as a duplicate of bug 28363 ***
The consequence of this could be no passwordchange or logging on services possible!