After update to 5.0-2 DNS server won't allow zone transfer

sgvfr · July 27, 2022, 1:14pm

Good morning. for many years i have external DNS servers in different parts of my network that don’t have a local UCS server, transferring the domain.lan zone from the primary server. After update to 5.0-2 the zone transfer fails and I have no idea what to look for.
I thought it was the DNS settings for external DNS servers that allowed this transfer to happen, but it doesn’t seem to help anymore.

any ideas on how to allow the UCS domain name allow a DNS zone transfer ?? or what I can troubleshoot?

Thanks

riess82 · July 27, 2022, 1:29pm

Probably same as mine: Named: zone transfer denied

sgvfr · July 27, 2022, 1:33pm

yes, I see you have the same issue.

root@ucs1:~# cat /var/log/syslog | grep transfer
Jul 27 02:59:58 ucs1 named[1059]: client @0x7f8130100f10 10.0.40.92#53947 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 02:59:58 ucs1 named[1059]: client @0x7f813011de30 10.0.40.92#38203 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:40:49 ucs1 named[1059]: client @0x7f813012c5c0 10.20.50.200#62888 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:40:49 ucs1 named[1059]: client @0x7f8130100f10 10.20.50.200#62103 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:47:37 ucs1 named[1059]: client @0x7f813010f6a0 10.10.50.200#62216 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:47:37 ucs1 named[1059]: client @0x7f812006bf80 10.10.50.200#61907 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:49:48 ucs1 named[1059]: client @0x7f813012c5c0 10.10.40.1#2165 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:49:48 ucs1 named[1059]: client @0x7f8130100f10 10.10.40.1#1712 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 04:58:43 ucs1 named[1059]: client @0x7f812006bf80 10.0.40.92#52039 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 04:58:43 ucs1 named[1059]: client @0x7f813012c5c0 10.0.40.92#36833 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:45:07 ucs1 named[1059]: client @0x7f813011de30 10.20.50.200#52771 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:45:07 ucs1 named[1059]: client @0x7f813012c5c0 10.20.50.200#50599 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:46:56 ucs1 named[1059]: client @0x7f8130100f10 10.20.50.200#50672 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 05:55:58 ucs1 named[23727]: client @0x7fb0b012c860 10.20.50.200#51027 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 06:22:05 ucs1 named[23727]: client @0x7fb0a002a810 10.10.50.200#62434 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 06:23:07 ucs1 named[23727]: client @0x7fb0a002a810 10.20.50.200#52091 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 06:23:36 ucs1 named[23727]: client @0x7fb0a0038e30 10.20.50.200#52114 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
root@ucs1:~#

sgvfr · July 29, 2022, 12:04am

sorry to bump, but this is quite a serious issue for users who rely on DNS zone transfers on the network.

sgvfr · July 30, 2022, 9:38pm

/etc/bind/univention.conf.d/domain.lan

zone "domain.lan" {
        type master;
        allow-transfer { any; };
        notify yes;
        database "ldap ldap://127.0.0.1:7389/zoneName=domain.lan,cn=dns,dc=domain,dc=lan????!bindname=cn%3Ducs1%2Ccn%3Ddc%2Ccn%3Dcomputers%2Cdc%3Ddomain%2Cdc%3Dlan,!x-bindpw=xxxxxxxxxxxxxxxx,x-tls 172800";
};

I have tried allowing transfer in the options, and the zone file. nothing seem to allow a transfer from the UCS servers.

possibly a bug in bind ???
Jul 30 14:28:04 ucs1 named[15251]: client @0x7f9fd4166bf0 10.10.50.200#59811 (domain.lan): zone transfer 'domain.lan/IN' denied

root     15251  0.6  1.5 519924 95200 ?        Ssl  14:27   0:02 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0

/etc/bind/named.conf.samba4

options {
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        listen-on { any; };
        allow-query { any; };
        allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
        allow-query-cache { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
        allow-transfer { any; };
        listen-on-v6 { any; };
};

sgvfr · August 1, 2022, 4:10am

https://forge.univention.org/bugzilla/show_bug.cgi?id=55047

submitted bug report

sgvfr · August 1, 2022, 3:38pm

@riess82 there is a workaround available as mentioned in the bug report

I have tested and it works.

before:

sgadmin@ns:/$ dig axfr domain.lan @ucs1.domain.lan

; <<>> DiG 9.16.1-Ubuntu <<>> axfr domain.lan @ucs1.domain.lan
;; global options: +cmd
; Transfer failed.
sgadmin@ns:/$

root@ucs1:~# vi /etc/samba/local.conf

[global]
netbios aliases = "xxxxxxxxxx"
dns zone transfer clients allow = 10.10.50.200 10.20.50.200 10.0.40.92

root@ucs1:~# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.
root@ucs1:~#

sgadmin@ns:/$ dig axfr domain.lan @ucs1.domain.lan

; <<>> DiG 9.16.1-Ubuntu <<>> axfr domain.lan @ucs1.domain.lan
;; global options: +cmd
domain.lan.              10800   IN      SOA     ucs1.domain.lan. root.domain.lan. 412 28800 7200 604800 3600
domain.lan.              900     IN      NS      ucs1.domain.lan.
domain.lan.              900     IN      NS      ucs2.domain.lan.
domain.lan.              900     IN      NS      ucs3.domain.lan.
domain.lan.              900     IN      NS      ucs4.domain.lan.
           <pruned out>
;; Query time: 12 msec
;; SERVER: 10.10.50.10#53(10.10.50.10)
;; WHEN: Mon Aug 01 08:33:30 PDT 2022
;; XFR size: 90 records (messages 1, bytes 3010)

sgadmin@ns:/$

riess82 · August 2, 2022, 7:51am

yes, i already saw. thank you