Bug 48529 - bind proxy (with ldap backend) does not resolve d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs like aliases
Summary: bind proxy (with ldap backend) does not resolve d3047ed1-9494-4c5d-8771-9efe2...
Status: RESOLVED WONTFIX
Alias: None
Product: UCS
Classification: Unclassified
Component: DNS
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-24 17:19 CET by Felix Botner
Modified: 2024-06-27 12:10 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-01-24 17:19:57 CET 
Master with samba dns/backend=samba and a backup with dns/backend=ldap

-> udm dns/alias  list --superordinate "zoneName=four.three,cn=dns,dc=four,dc=three"

DN: relativeDomainName=e09cffc3-0996-4253-ad19-886df62e05b3._msdcs,zoneName=four.three,cn=dns,dc=four,dc=three
  cname: master.four.three.
  name: e09cffc3-0996-4253-ad19-886df62e05b3._msdcs
  zonettl: 80600 seconds

DN: relativeDomainName=d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs,zoneName=four.three,cn=dns,dc=four,dc=three
  cname: backup.four.three.
  name: d3047ed1-9494-4c5d-8771-9efe2dbd64ed._msdcs
  zonettl: 3 hours


@master-> dig @10.200.7.160 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53

; <<>> DiG 9.10.3-P4-Univention <<>> @10.200.7.160 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three.	IN A

;; ANSWER SECTION:
e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three.	900 IN CNAME master.four.three.
master.four.three.	900	IN	A	10.200.7.160


@backup-> dig @10.200.7.161 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53

; <<>> DiG 9.10.3-P4-Univention <<>> @10.200.7.161 e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e09cffc3-0996-4253-ad19-886df62e05b3._msdcs.four.three.	IN A

;; Query time: 4 msec
;; SERVER: 10.200.7.161#53(10.200.7.161)
;; WHEN: Thu Jan 24 16:31:02 CET 2019
;; MSG SIZE  rcvd: 83


strange thing is, this does not work

-> dig @127.0.0.1 a-b-c._msdcs.four.three -p 53
; <<>> DiG 9.10.3-P4-Univention <<>> @127.0.0.1 a-b-c._msdcs.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-b-c._msdcs.four.three.	IN	A

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 24 16:34:08 CET 2019
;; MSG SIZE  rcvd: 52

but this works

-> dig @127.0.0.1 a-b-c._def.four.three -p 53

; <<>> DiG 9.10.3-P4-Univention <<>> @127.0.0.1 a-b-c._def.four.three -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-b-c._def.four.three.		IN	A

;; ANSWER SECTION:
a-b-c._def.four.three.	10800	IN	CNAME	master.four.three.
master.four.three.	80600	IN	A	10.200.7.160

;; AUTHORITY SECTION:
four.three.		10800	IN	NS	backup.four.three.
four.three.		10800	IN	NS	master.four.three.

;; ADDITIONAL SECTION:
backup.four.three.	172800	IN	A	10.200.7.161

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 24 16:34:17 CET 2019
;; MSG SIZE  rcvd: 138

So, is there a special handling for "msdcs" in bind9?

(this work in UCS 4.2 [9.9.5.dfsg], but fails starting with 4.3-0 [9.10.3.dfsg.P4])


This is a bit annoying. During the samba setup in a backup the following happens

 * 96univention-samba4.inst samba provisioning
 * dns/backend still ldap
 * 98univention-samba4-dns.inst dns/backend is set to samba

so during the end of 96univention-samba4.inst and 98univention-samba4-dns.inst the special aliases like e09cffc3-0996-4253-ad19-886df62e05b3._msdcs are not resolvable therefore DRS replication is broken.
Comment 1 Arvid Requate univentionstaff 2019-10-15 08:13:40 CEST 
Yes, _msdcs is handled specially in Samba/AD and OpenLDAP:

In Samba/AD _msdcs.${domainname} is a separate Zone, stored in ForestDNSZones in the backend.
There is a DNS glue record DC=_msdcs in the DC=${domainname} zone (under DomainDNSZones) too.
Research for Bug 50361 showed that the S4-Connector synchronizes the glue record to OpenLDAP.

Under OpenLDAP we don't have the zones separated, all records are in the ${domainname} zone.
The _msdcs glue record (it's a dns/ns_record in UDM) blocks bind9 from resolving
other *._msdcs records when dns/backend=ldap.

So I guess Bug 50361 and this one are caused by the same issue.
Comment 2 Jan-Luca Kiok univentionstaff 2024-06-27 12:10:27 CEST 
This issue has been filed against UCS 4.4.

UCS 4.4 is out of general maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.