After update to 5.0-2 DNS server won't allow zone transfer

UCS - Univention Corporate Server
1

Good morning. for many years i have external DNS servers in different parts of my network that don’t have a local UCS server, transferring the domain.lan zone from the primary server. After update to 5.0-2 the zone transfer fails and I have no idea what to look for.
I thought it was the DNS settings for external DNS servers that allowed this transfer to happen, but it doesn’t seem to help anymore.

any ideas on how to allow the UCS domain name allow a DNS zone transfer ?? or what I can troubleshoot?

Thanks

2

Probably same as mine: Named: zone transfer denied

3

yes, I see you have the same issue.

root@ucs1:~# cat /var/log/syslog | grep transfer
Jul 27 02:59:58 ucs1 named[1059]: client @0x7f8130100f10 10.0.40.92#53947 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 02:59:58 ucs1 named[1059]: client @0x7f813011de30 10.0.40.92#38203 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:40:49 ucs1 named[1059]: client @0x7f813012c5c0 10.20.50.200#62888 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:40:49 ucs1 named[1059]: client @0x7f8130100f10 10.20.50.200#62103 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:47:37 ucs1 named[1059]: client @0x7f813010f6a0 10.10.50.200#62216 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:47:37 ucs1 named[1059]: client @0x7f812006bf80 10.10.50.200#61907 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:49:48 ucs1 named[1059]: client @0x7f813012c5c0 10.10.40.1#2165 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:49:48 ucs1 named[1059]: client @0x7f8130100f10 10.10.40.1#1712 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 04:58:43 ucs1 named[1059]: client @0x7f812006bf80 10.0.40.92#52039 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 04:58:43 ucs1 named[1059]: client @0x7f813012c5c0 10.0.40.92#36833 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:45:07 ucs1 named[1059]: client @0x7f813011de30 10.20.50.200#52771 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:45:07 ucs1 named[1059]: client @0x7f813012c5c0 10.20.50.200#50599 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:46:56 ucs1 named[1059]: client @0x7f8130100f10 10.20.50.200#50672 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:55:58 ucs1 named[23727]: client @0x7fb0b012c860 10.20.50.200#51027 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 06:22:05 ucs1 named[23727]: client @0x7fb0a002a810 10.10.50.200#62434 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 06:23:07 ucs1 named[23727]: client @0x7fb0a002a810 10.20.50.200#52091 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 06:23:36 ucs1 named[23727]: client @0x7fb0a0038e30 10.20.50.200#52114 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
root@ucs1:~#

image

4

sorry to bump, but this is quite a serious issue for users who rely on DNS zone transfers on the network.

5

/etc/bind/univention.conf.d/domain.lan

zone "domain.lan" {
        type master;
        allow-transfer { any; };
        notify yes;
        database "ldap ldap://127.0.0.1:7389/zoneName=domain.lan,cn=dns,dc=domain,dc=lan????!bindname=cn%3Ducs1%2Ccn%3Ddc%2Ccn%3Dcomputers%2Cdc%3Ddomain%2Cdc%3Dlan,!x-bindpw=xxxxxxxxxxxxxxxx,x-tls 172800";
};

I have tried allowing transfer in the options, and the zone file. nothing seem to allow a transfer from the UCS servers.

possibly a bug in bind ???
Jul 30 14:28:04 ucs1 named[15251]: client @0x7f9fd4166bf0 10.10.50.200#59811 (domain.lan): zone transfer 'domain.lan/IN' denied

root     15251  0.6  1.5 519924 95200 ?        Ssl  14:27   0:02 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0

/etc/bind/named.conf.samba4

options {
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        listen-on { any; };
        allow-query { any; };
        allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
        allow-query-cache { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
        allow-transfer { any; };
        listen-on-v6 { any; };
};
6

https://forge.univention.org/bugzilla/show_bug.cgi?id=55047

submitted bug report

7

@riess82 there is a workaround available as mentioned in the bug report

I have tested and it works.

before:

sgadmin@ns:/$ dig axfr domain.lan @ucs1.domain.lan

; <<>> DiG 9.16.1-Ubuntu <<>> axfr domain.lan @ucs1.domain.lan
;; global options: +cmd
; Transfer failed.
sgadmin@ns:/$

root@ucs1:~# vi /etc/samba/local.conf

[global]
netbios aliases = "xxxxxxxxxx"
dns zone transfer clients allow = 10.10.50.200 10.20.50.200 10.0.40.92

root@ucs1:~# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.
root@ucs1:~#

sgadmin@ns:/$ dig axfr domain.lan @ucs1.domain.lan

; <<>> DiG 9.16.1-Ubuntu <<>> axfr domain.lan @ucs1.domain.lan
;; global options: +cmd
domain.lan.              10800   IN      SOA     ucs1.domain.lan. root.domain.lan. 412 28800 7200 604800 3600
domain.lan.              900     IN      NS      ucs1.domain.lan.
domain.lan.              900     IN      NS      ucs2.domain.lan.
domain.lan.              900     IN      NS      ucs3.domain.lan.
domain.lan.              900     IN      NS      ucs4.domain.lan.
           <pruned out>
;; Query time: 12 msec
;; SERVER: 10.10.50.10#53(10.10.50.10)
;; WHEN: Mon Aug 01 08:33:30 PDT 2022
;; XFR size: 90 records (messages 1, bytes 3010)

sgadmin@ns:/$
8

yes, i already saw. thank you