I have a device running Samba as an Active Directory Domain Controller using BIND_DLZ as a backend.
On top of that I am running a secondary device also configured as an Active Directory Domain Controller also with BIND_DLZ as backend for redundancy purpose.
IP addresses are assigned by ISC DHCP server which are able to update DNS ressource records using an ecryption key (TSIG).
Anyway: Onto my problem.
Here is my current setup
named.conf.options:
options
{
directory "/var/cache/bind";
forwarders {
2001:4860:4860::8888;
2001:4860:4860::8844;
8.8.8.8;
8.8.4.4;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { 192.168.1.240; };
listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
recursion yes;
};
acl "home-net"
{
127.0.0.1;
192.168.1.0/24;
2001:db8:cafe:beef::/56; # <-- I am using a IPv6 range from Tunnelbroker in real life.
};
view "normal"
{
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.internal";
# Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
include "/etc/bind/netflix-ipv6-blackhole.conf";
match-clients
{
home-net; # <-- Only respond to queries originating from my own network.
};
dnssec-enable yes;
dnssec-validation auto;
allow-query { any; };
allow-query-cache { home-net; };
allow-recursion { home-net; };
forwarders {
8.8.8.8;
8.8.4.4;
2001:4860:4860::8888;
2001:4860:4860::8844;
};
};
named.conf.internal:
zone "1.168.192.in-addr.arpa"
{
type master;
file "/etc/bind/db.192.168.1.rev";
notify yes;
allow-query { any; };
allow-transfer { xfer; };
# If allow-update is enabled instead of the include named.conf.update line,
# then Dynamic DNS works fine due to ISC DHCP can update the ressource records.
#
# Sadly you can't have both lines enabled. It is either / or.
// allow-update { key ddns-key; };
include "/var/lib/samba/bind-dns/named.conf.update"; # <-- Having issues with THIS line only.
};
include "/var/lib/samba/bind-dns/named.conf";
/var/lib/samba/bind-dns/named.conf:
dlz "AD DNS Zone" {
# For BIND 9.11.x
database "dlopen /usr/lib/arm-linux-gnueabihf/samba/bind9/dlz_bind9_11.so";
};
/var/lib/samba/bind-dns/named.conf.update:
/* this file is auto-generated - do not edit */
update-policy {
grant EXAMPLE.COM ms-self * A AAAA;
grant [email protected] wildcard * A AAAA SRV CNAME;
# Main Active Directory Domain Controller
grant [email protected] wildcard * A AAAA SRV CNAME;
# Backup Active Directory Domain Controller
grant [email protected] wildcard * A AAAA SRV CNAME;
};
If I try to start bind with this configuration I will get a rather odd error that I cannot figure out:
/var/lib/samba/bind-dns/named.conf.update:3: name field not set to placeholder value '.'
Is there anyone who can clue me into what is wrong with named.conf.update?
OK, you have two Samba AD DC's using Bind9 for the dns server and you are having problems with dns, I wonder if it could have anything to do with your your incorrect bind files ?
One major problem is that you have the reverse zone in a flat file, this is not allowed, you need to create it AD, you can use samba-tool to do this. You also cannot use 'views'
Try these bind9 conf files:
/etc/bind/named.conf
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
/etc/bind/named.conf.options
options {
};
/etc/bind/named.conf.local
include "/var/lib/samba/bind-dns/named.conf";
// Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
include "/etc/bind/netflix-ipv6-blackhole.conf";
If you backed up /var/lib/samba/bind-dns/named.conf.update Then reinstate from the backup. If not, then change it to this:
/* this file is auto-generated - do not edit */ update-policy {
};