First Last Prev Next    This bug is not in your last search results.
Bug 57002 - dns/backend=ldap NS record delegation not working when dns/forwarder{1,2,3} is set
dns/backend=ldap NS record delegation not working when dns/forwarder{1,2,3} i...
Status: NEW
Product: UCS
Classification: Unclassified
Component: DNS
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks: 50361
  Show dependency treegraph
 
Reported: 2024-01-26 19:16 CET by Philipp Hahn
Modified: 2024-01-29 09:36 CET (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2024-01-26 19:16:30 CET 
Sub-zone delegation with NS records with UCRV dns/backend=ldap does not work.

Setup:
1. Two server not in same domain; server 2 delegates "sub" to sever 1
2. Server 1 (10.200.17.21) - hosting delegated sub-zone "sub.phahn50.qa")
```sh
DNS='phahn50.qa' IP=10.200.17.21 NAME='dc21' # IP and name of delegated server
eval "$(ucr shell)"
udm dns/forward_zone create \
  --position "cn=dns,$ldap_base" \
  --set zone="sub.$DNS" \
  --set nameserver="$NAME.sub.$DNS." \
  --set contact=hahn@univention.de
udm dns/host_record create \
  --superordinate "zoneName=sub.$DNS.qa,dc=$ldap_base" \
  --set name="$NAME" \
  --set a="$IP"
```
3. Server 2 - delegating sub-zone "sub.phahn50.qa"
```sh
DNS='phahn50.qa' IP=10.200.17.21 NAME='dc21' # IP and name of delegated server
eval "$(ucr shell)"
udm dns/host_record create \
  --superordinate "zoneName=$DNS,cn=dns,$ldap_base" \
  --set name="$NAME.sub" \
  --set a="$IP"
udm dns/ns_record create \
  --superordinate "zoneName=$DNS,cn=dns,$ldap_base" \
  --set zone=sub \
  --set nameserver="$NAME.sub.$DNS."
```

- On the delegated server 2 everything works:
  - ask LDAP BIND:
```console
# dig -p 7777 @127.0.0.1 sub.$DNS. soa
;sub.phahn50.qa.                        IN      SOA
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig -p 7777 @127.0.0.1 sub.$DNS. ns
;sub.phahn50.qa.                        IN      NS
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig -p 7777 @127.0.0.1 $NAME.sub.$DNS. a
;dc21.sub.phahn50.qa.           IN      A
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
# dig -p 7777 @127.0.0.1 sub.$DNS. axfr
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
```
  - ask proxy BIND:
```console
# dig @127.0.0.1 sub.$DNS. soa
;sub.phahn50.qa.                        IN      SOA
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig @127.0.0.1 sub.$DNS. ns
;sub.phahn50.qa.                        IN      NS
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig @127.0.0.1 $NAME.sub.$DNS. a
;dc21.sub.phahn50.qa.           IN      A
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
# dig @127.0.0.1 sub.$DNS. axfr
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
```
- On the delegating server 1 remote querying works:
  - ask remote LDAP BIND:
```console
# dig -p 7777 @$IP sub.$DNS. soa
;sub.phahn50.qa.                        IN      SOA
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig -p 7777 @$IP sub.$DNS. ns
;sub.phahn50.qa.                        IN      NS
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig -p 7777 @$IP $NAME.sub.$DNS. a
;dc21.sub.phahn50.qa.           IN      A
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
# dig -p 7777 @$IP sub.$DNS. axfr
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
```
  - ask remote proxy BIND:
```console
# dig @$IP sub.$DNS. soa
;sub.phahn50.qa.                        IN      SOA
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig @$IP sub.$DNS. ns
;sub.phahn50.qa.                        IN      NS
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig @$IP $NAME.sub.$DNS. a
;dc21.sub.phahn50.qa.           IN      A
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
# dig @$IP sub.$DNS. axfr
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
```
  - ask local LDAP BIND: query works, AXFR *fails*
```console
# dig -p 7777 @127.0.0.1 sub.$DNS. soa
;sub.phahn50.qa.                        IN      SOA
sub.phahn50.qa.         10800   IN      SOA     dc21.sub.phahn50.qa. hahn.univention.de. 4 28800 7200 604800 10800
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig -p 7777 @127.0.0.1 sub.$DNS. ns
;sub.phahn50.qa.                        IN      NS
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
# dig -p 7777 @127.0.0.1 $NAME.sub.$DNS. a
;dc21.sub.phahn50.qa.           IN      A
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         10800   IN      NS      dc21.sub.phahn50.qa.
# dig -p 7777 @127.0.0.1 sub.$DNS. axfr
; Transfer failed.
```
  - ask local proxy BIND *FAILS*:
```console
# dig -p 7777 @127.0.0.1 sub.$DNS. axfr
; Transfer failed.
# dig @127.0.0.1 sub.$DNS. soa
;sub.phahn50.qa.                        IN      SOA
# dig @127.0.0.1 sub.$DNS. ns
;sub.phahn50.qa.                        IN      NS
# dig @127.0.0.1 $NAME.sub.$DNS. a
;dc21.sub.phahn50.qa.           IN      A
# dig @127.0.0.1 sub.$DNS. axfr
; Transfer failed.
```

this is expected as the AXFR for LDAP-BIND already fails, so the proxy-BIND is never able to cache that zone.
The NS and glue-A-records are there, but the are not working as expected:
```console
# dig -p 7777 @127.0.0.1 $DNS. axfr | grep -F sub.$DNS
dc21.sub.phahn50.qa.    10800   IN      A       10.200.17.21
sub.phahn50.qa.         79200   IN      NS      dc21.sub.phahn50.qa.
```
Comment 1 Philipp Hahn univentionstaff 2024-01-29 09:36:04 CET 
It works when *fowarding* is disabled (`ucr unset dns/forwarder{1,2,3}`), in which case BIND9 does recursive resolving starting from the root zone itself.
First Last Prev Next    This bug is not in your last search results.