Univention Bugzilla – Bug 39081
dlz_bind9 plugin ignores Forest+DomainDnsZones if Windows-2000 zone exists
Last modified: 2017-04-24 13:52:08 CEST
The Samba4 dlz_bind9 plugin ignores DomainDnsZones and ForestDnsZones if a Windows-2000 compatible zone exists. A "Windows-2000 compatible" zone is one located below CN=MicrosoftDNS,CN=System,$samba4_ldap_base. This behavior was introduced by our dlz_bind9 patch. Since AD supports any of the three DNS locations (Forest-wide, Domain-wide and Windows-2000 compatible) in Active Directory, we should probably also allow this. Otherwise an Admin could be surprised to DoS his normal domain DNS zone just by accidentally adding some DNS zone with "Windows-2000 compatible" mode. With native AD this is easily possible by using the DNS MMC snapin, I haven't tested this snapin against Samba4 yet.
While fixing Bug 39139 I have adjusted this already slightly to get the behavior desired for Bug 34184: Now dlz_bind9 ignores * duplicate zones (it takes the first it finds), this behavior is unchanged * and above that it now only ignores the zones with _msdcs.* if a partition has been found in the "Windows-2000 compatible" position (i.e. on the domain partition of the Samba/Active Directory). So, it now only ignores Zones whose names start with "_msdcs." in this case, not all zones. This _msdcs sub-zone is a special case which still needs to be ignored in updated installations (see Bug 34184). So, this Bug is not that relevant any longer in case the other two get released.