Univention Bugzilla – Bug 55243
UCS DNS with DLZ does not support DNS notify
Last modified: 2022-10-12 09:04:16 CEST
Hello Dev-Team, our customer face a problem with his UCS DNS Server. He mentioned a breaking change in his DNS notify behavior, the UCS Primary Server (DNS Master) was used to notify a slave (non-UCS server) in their infrastructure. He did an update from UCS and as far as I know there was a change between UCS 5.0-1 to UCS 5.0-2 with the DLZ plugin. The DLZ is now the storage when you use Samba4 for DNS. I did rebuild the customer scenario on test machines and did test step-by-step what brokes it. Without Samba4 the AXFR and notify works, when Samba4 is installed it stops working with notify, but AXRF still works. The notify part is the important one for the customer. The analysis the debug level was raised up for dns/debug/level and dns/dlz/debug/level to "11" and after Samba4 was installed with usage of the DLZ modul not any NOTIFY information was written to the log (The log on the server was modified to write in the Journald). I started to wonder and searched then in the web to understand how DLZ works and found this site: https://kb.isc.org/docs/aa-00995 => "However, it can be used in a hidden master configuration, with slaves retrieving zone updates via AXFR. (Note, however, that DLZ has no built-in support for DNS notify; slaves are not automatically informed of changes to the zones in the database.)" TL;DR: The DLZ BIND modul since 5.0-2 does not support DNS notify anymore (only AXRF zone updates) which is a breaking change for a customer we have a ticket from.
Nothing logged in the logfiles with the highest debug level that belongs to NOTIFY
We had a similar question at ticket 2022070521000317, where we found that the update to samba 4.16 in UCS 5.0-2 contained a change: https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#Bind_DLZ:_Added_the_ability_to_set_allow.2Fdeny_lists_for_zone_transfer_clients "Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list."
Please check if this is a duplicate of bug 55047, there is also a possible workaround at the bug
To clear up misunderstandings: This is not about not allowed axfr-requests but about not sent zone-transfer-notifies. Bind is able to notify all server in a dns-zone and additional servers about changed zone-informations: https://bind9.readthedocs.io/en/v9_16_6/advanced.html#notify As far as I can see, there is no specific configuration-option in samba for allowing or denying notifies. But after an update to UCS 5 (and in this context also an update of bind9, samba and bind_dlz) no notify seems to be sent anymore.