Univention Bugzilla – Bug 32626
Ability to add DNS NS records
Last modified: 2018-07-04 14:53:50 CEST
With the current implementation it is only possible to maintain NS records directly as a property of the DNS zone itself. It is not possible to add DNS object with the type "DNS: NS record". This is limiting the flexibility for example to add slave DNS zones.
Note: requested in http://forum.univention.de/viewtopic.php?t=2835 A detailed example of the request can be found in Post http://forum.univention.de/viewtopic.php?t=2835#p9833
requested again: http://forum.univention.de/viewtopic.php?f=48&t=2835&p=10057#p14717
Workaround: add LDAP entry through "ldapadd" as there is no udm module for it: eval "$(ucr shell)" ldapadd -x -D "cn=admin,${ldap_base}" -y /etc/ldap.secret <<-__LDIF__ dn: relativeDomainName=${SUB_DOMAIN},zoneName=${domainname},cn=dns,${ldap_base} objectClass: dNSZone relativeDomainName: ${SUB_DOMAIN} zoneName: ${domainname} dNSTTL: 10800 NSRecord: ${OTHER_NS}. __LDIF__ udm dns/host_record create --superordinate "zoneName=${domainname},cn=dns,${ldap_base}" --set name=${OTHER_NS%%.*} --set a="${OTHER_IP}" The serial number of the zone might need an update, as it is not auto-incremented by adding the NS RR: old="$(udm dns/forward_zone list --position "zoneName=${domainname},cn=dns,${ldap_base}"|sed -ne 's/^ *serial: //p;T;q')" udm dns/forward_zone modify --dn "zoneName=${domainname},cn=dns,${ldap_base}" --set serial=$((1+$old))
The S4-connector does not synchronize those NS records - using "samba-tool" works: samba-tool dns add localhost phahn.qa sub ns master42.phahn.qa. -U Administrator --password=univention
*** Bug 39078 has been marked as a duplicate of this bug. ***
Created attachment 9502 [details] UCS Zonendelegation 1
Created attachment 9503 [details] UCS Zonendelegation 2
Created attachment 9504 [details] UCS Zonendelegation 3, Fehler bei RSAT
Hi This doesn't work for me. UCS: 4.3-0-11 (samba4 Version 4.7.5-Debian) DC-Master: dc1.ucs-test.local DNS Backend: samba4 (so the "ldapadd" approach above doesn't work in general) Domain: ucs-test.local Subdomain: isilon.ucs-test.local Should be delegated to nameserver: isilonsc.ucs-test.local (192.168.182.40) -> An A record for isilonsc already exists in the main dns domain What i tried: -1- /etc/init.d/univention-s4-connector stop samba-tool dns zonelist localhost -U Administrator samba-tool dns zonecreate localhost isilon.ucs-test.local -U Administrator samba-tool dns add localhost isilon.ucs-test.local sub ns isilonsc.ucs-test.local. -U Administrator systemctl restart bind9 -> "dig @localhost nfs.isilon.ucs-test.local" returned no result (nfs is a zone available on the delegated nameserver for the zone "isilon.ucs-test.local" -> inside Windows (using RSAT and the DNS-snapin) i could see the new sub-zone with the delegated nameserver. However i had to stop the S4 connector, because if not, the nameserver will be overwritten after approx. 10 seconds later by "dc1.ucs-test.local". -2- I tried using Windows RSAT to create a "DNS Delegation" using the wizard. This works, the zone is created but 10 seoncds later
I've created a branch arequate/bug32626 and committed * A new UDM module dns/ns_record * Changes to univention-dnsedit to support adding and removing a dns/ns_record * Changes to the S4-Connector to sync these records * A 16x16 icon for UMC-module-udm
97c3be626b Bug #32626: Advisories 0e6a0960d3 Bug #32626: Merge branch 'arequate/bug32626' into 4.3-0 017d8b8c6f Bug #32626: Changelogs 91b817fbaf Bug #32626: Feedback from QA and ucs-test case 7431403d5d Bug #32626: Add support for DNS NS records
d3926041ab | S4-Connector: Update versioned dependency on python-UDM 2fe5917546 | S4-Connector: Advisory version
OK: errata-announce -V --only univention-s4-connector.yaml OK: errata-announce -V --only univention-directory-manager-modules.yaml FIXED: [4.3-0] 43f4e8fd9f Bug #32626 DNS: Fix YAML doc/errata/staging/univention-directory-manager-modules.yaml | 6 +++--- doc/errata/staging/univention-s4-connector.yaml | 8 ++++---- OK: @10.200.17.30 udm dns/forward_zone create --position cn=dns,dc=phahn,dc=qa --set contact=root@phahn.qa. --set nameserver=master42.phahn.qa. --set zone=sub.phahn.qa --set a=10.200.17.30 @10.200.17.32: /usr/share/univention-directory-manager-tools/univention-dnsedit phahn.qa add a master42 10.200.17.30 /usr/share/univention-directory-manager-tools/univention-dnsedit phahn.qa add ns sub master42.phahn.qa. dig @localhost phahn.qa. axfr dig sub.phahn.qa. any FAIL: with dns/backend=samba4 # dig +nocmd +nocomments +nostats @localhost sub.phahn.qa. any ;sub.phahn.qa. IN ANY sub.phahn.qa. 900 IN NS master42.phahn.qa. phahn.qa. 900 IN NS ma43.phahn.qa. master42.phahn.qa. 900 IN A 10.200.17.30 ma43.phahn.qa. 900 IN A 10.200.17.32 # dig +nocmd +nocomments +nostats @localhost txt.sub.phahn.qa. txt ;txt.sub.phahn.qa. IN TXT # samba-tool dns query localhost phahn.qa sub all -U Administrator --password=univention Name=, Records=1, Children=0 NS: master42.phahn.qa. (flags=f0, serial=1, ttl=900) # samba-tool dns query localhost phahn.qa master42.phahn.qa. all -U Administrator --password=univention Name=, Records=1, Children=0 A: 10.200.17.30 (flags=f0, serial=1, ttl=900) FAIL: it does not work with dns/backend=ldap # dig +nocmd +nocomments +nostats @localhost -p 7777 sub.phahn.qa. any ;sub.phahn.qa. IN ANY sub.phahn.qa. 80600 IN NS master42.phahn.qa. phahn.qa. 10800 IN NS ma43.phahn.qa. master42.phahn.qa. 80600 IN A 10.200.17.30 ma43.phahn.qa. 80600 IN A 10.200.17.32 # dig +nocmd +nocomments +nostats @localhost -p 7777 txt.sub.phahn.qa. txt ;txt.sub.phahn.qa. IN TXT txt.sub.phahn.qa. 80583 IN TXT "foo" sub.phahn.qa. 10163 IN NS master42.phahn.qa. master42.phahn.qa. 80600 IN A 10.200.17.30 but # dig +nocmd +nocomments +nostats @localhost -p 53 sub.phahn.qa. any ;sub.phahn.qa. IN ANY # dig +nocmd +nocomments +nostats @localhost -p 53 txt.sub.phahn.qa. txt ;txt.sub.phahn.qa. IN TXT FAIL: Jenkins fails with and without S4C: <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/67_udm-dns/107_dns_ns_record_check_resolve/test/> <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/67_udm-dns/107_dns_ns_record_check_resolve/test/>
I partly reverted the patch to be able to release UCS-4.3-1 - I only reverted the calling sites, the called code is currently dead code. [4.3-0] 2a88c071a5 Bug #32626: Revert change for UCS-4.3-1 release. .../staging/univention-directory-manager-modules.yaml | 3 +-- doc/errata/staging/univention-s4-connector.yaml | 3 +-- .../debian/changelog | 6 ++++++ .../modules/univention/admin/handlers/dns/dns.py | 2 -- .../univention/admin/handlers/dns/forward_zone.py | 2 +- .../univention-dnsedit | 4 ---- .../conffiles/etc/univention/s4connector/s4/mapping.py | 2 +- services/univention-s4-connector/debian/changelog | 6 ++++++ services/univention-s4-connector/debian/control | 2 +- .../modules/univention/s4connector/s4/dns.py | 17 ----------------- 10 files changed, 17 insertions(+), 30 deletions(-) Package: univention-directory-manager-modules Version: 13.0.21-29A~4.3.0.201806061508 Branch: ucs_4.3-0 Scope: errata4.3-0 Package: univention-s4-connector Version: 12.0.2-20A~4.3.0.201806061508 Branch: ucs_4.3-0 Scope: errata4.3-0 [4.3-0] 31a7dc87ac Bug #32626: Revert change for UCS-4.3-1 release YAML doc/errata/staging/univention-directory-manager-modules.yaml | 2 +- doc/errata/staging/univention-s4-connector.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) OK: errata-announce -V --only univention-s4-connector.yaml OK: errata-announce -V --only univention-s4-connector.yaml FAIL: NS delegation for reverse zone is also required.
reverts code review looked okay, i ran a quick ucs-test run without errors
32b334b11e | Adjust test case to support mixed case domains cb95ad37cf | Merge branch 'arequate/bug32626' into 4.3-1 e5575d9c1b | Reapply reverted patches 2e26b7a807 | Merge branch 'arequate/bug32626' into 4.3-1 26100469af | Advisory abab8ae032 | Adjust test case to dig output 02f48f0a15 | Adjust test case to dig output You are right, when a global forwarder is set then the recursion doesn't lookup the delegated zone on the remote server advertised via NS record. This requires a bit more work and I've split it off as Bug 47176.
FAIL: <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/AutotestUpgrade/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/67_udm-dns/107_dns_ns_record_check_resolve/test/> please adjust the test to either check the LDAP-BIND or disable it for the non-S4 scenario. Perhaps add "## packages: [univention-samba4]" as the test currently only executes on master? (In reply to Arvid Requate from comment #16) OK: 32b334b11e | Adjust test case to support mixed case domains > cb95ad37cf | Merge branch 'arequate/bug32626' into 4.3-1 OK: e5575d9c1b | Reapply reverted patches > 2e26b7a807 | Merge branch 'arequate/bug32626' into 4.3-1 OK: 26100469af | Advisory OK: abab8ae032 | Adjust test case to dig output OK: 02f48f0a15 | Adjust test case to dig output OK: errata-announce -V --only univention-s4-connector.yaml OK: errata-announce -V --only univention-directory-manager-modules.yaml OK: univention-directory-manager-modules.yaml univention-s4-connector.yaml
fc95c0d604 | Restrict test scope to master running Samba/AD Package: ucs-test Version: 8.0.28-143A~4.3.0.201806261248
(In reply to Arvid Requate from comment #18) > fc95c0d604 | Restrict test scope to master running Samba/AD OK
<http://errata.software-univention.de/ucs/4.3/140.html> <http://errata.software-univention.de/ucs/4.3/141.html>