Bug 54361 – Configuring a Policy for DHCP Dynamic DNS in school

Bug 54361 - Configuring a Policy for DHCP Dynamic DNS in school


Summary:	Configuring a Policy for DHCP Dynamic DNS in school

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	DNS
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-01-20 14:00 CET by Christina Scheinig
Modified:	2022-01-21 17:03 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022010421000464
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2022-01-20 14:00:55 CET

I think parts of this was already discussed here in Bug 301, but I already had some requests about this.
In our manual, we say:
DHCP Dynamic DNS allows the configuration of dynamic DNS updates. These cannot yet be performed with a LDAP-based DNS service as provided out-of-the-box by UCS.

A school customer wants to use the clients without a fixed ip address. (They want to use 802.1X with the users to authenticate against a radius server, which returns different VLAN IDs depending on the user's group membership)
Therefor they want to use the DDNS mechanism from the windows clients.
The problem is, that the clients register their dns against samba on the school slave in the "dc=client" object. This is not replicated to the central master (in this case with samba4 installed) so the name resolution of a dynamic client does not work on a master. This is a problem e.g for the opsi server, which cannot identify the client anymore.
Long story short:

It does not make sense for each school server to be authoritative for the entire zone. It would have been conceptually better to define the master as authoritative for the second-level domain and to create a subdomain for each school below it, for which the respective school server is then authoritative. This way, a zone delegation could be mapped cleanly.

We tried this for a customer, but we do not have a feedback if this worked or if there are side effects.
https://help.univention.com/t/how-to-dynamischen-dns-aktualisierungen/17636

Comment 1 Philipp Hahn

2022-01-20 15:52:17 CET

Please clarify the scope of this bug:
- QA your help post?
- add some "cool solution" on how to do such a setup?
- add this scenario to some documentation to make it "maintained"?
- extend UCS(@school) to support "one sub-domain per school" out-of-the-box?
- …?

Someone has to spend time to look at this bug to decide on what to do here: if it is worth the effort, or simply close as WONT-FIX (in 5 years) due to inactivity. Clarifying those questions above will help her/him.

Comment 2 Christina Scheinig

2022-01-21 17:03:05 CET

It should show that there is a need here for DHCP Dynamic DNS.  Even in school environments it is asked for. So this could be at least an suggestion that the ddns entries from a clients joined in the schoolslave are synchronized to the Master (when samba4 is installed there)