DNS TTL issues -WHY?

Hi all,

there might be someone explaining the issue here (knowing @pmhahn as the DNS guy is busy).

I have a CNAME entry in my zone (DNS backend is Samba) configured:

root@praxis:~# univention-ldapsearch relativeDomainName=backuppc
[...]
# backuppc, schule.de, dns, schule2.de
dn: relativeDomainName=backuppc,zoneName=schule.de,cn=dns,dc=schule2,dc=de
zoneName: schule.de
relativeDomainName: backuppc
cNAMERecord: backuppc41.schule.de.
objectClass: top
objectClass: dNSZone
objectClass: univentionObject
univentionObjectType: dns/alias
dNSTTL: 30
[...]
# numEntries: 1

Note the dNSTTL of 30 seconds. Now -even after a restart of bind9- I am getting the follwoing from my clients:

root@praxis:~# systemctl restart bind9
root@praxis:~# dig backuppc.schule.de +ttlunits

; <<>> DiG 9.11.5-P4-5.1+deb10u5A~5.0.0.202105030845-Univention <<>> backuppc.schule.de +ttlunits
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50378
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b48ef92fc447fb9074f675286125e3e3ddc275c8ae36232b (good)
;; QUESTION SECTION:
;backuppc.schule.de.             IN      A

;; ANSWER SECTION:
backuppc.schule.de.      15m     IN      CNAME   backuppc41.schule.de.
backuppc41.schule.de.    15m     IN      A       192.168.9.2

;; AUTHORITY SECTION:
schule.de.               15m     IN      NS      praxis2.schule.de.
schule.de.               15m     IN      NS      praxis.schule2.de.

;; ADDITIONAL SECTION:
praxis.schule2.de. 15m IN   A       192.168.1.10

;; Query time: 2 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Mi Aug 25 08:32:03 CEST 2021
;; MSG SIZE  rcvd: 194

So the DNS TTL is set to 15 minutes instead of 30 seconds according to dig.

Just to make sure I did a request on a Windows10 machine with nslookup:

C:\Users\chvoelker>nslookup  -debug backuppc.schule.de 192.168.1.10
[...]
    QUESTIONS:
        backuppc.schule.de, type = A, class = IN
    ANSWERS:
    ->  backuppc.schule.de
        canonical name = backuppc41.schule.de
        ttl = 900 (15 mins)
    ->  backuppc41.schule.de
        internet address = 192.168.9.2
        ttl = 900 (15 mins)
    AUTHORITY RECORDS:
    ->  schule.de
        nameserver = praxis2.schule.de
        ttl = 900 (15 mins)
[...]

So it shows clearly the TTL of 15minutes. Not as configured of 30 seconds.
I even tried to set the TTL for a single entry to a large number (3 days). It will always reply with the 15 minutes. So where do they come from?

Why does bind9 not use the configured values?

Thanks a lot!

/KNEBB

Which DNS backend are you using, e.g. ldap or samba4? Please run ucr get dns/backend to get this infomration.
I guess it is samba4 for your as with ldap it works (for me):

udm dns/alias create \
  --superordinate zoneName="$(dnsdomainname),cn=dns,$(ucr get ldap/base)" \
  --set name=master \
  --set zonettl=15 \
  --set cname="$(hostname -f)."
sleep 30
dig "master.$(dnsdomainname)."
# master.qa50.pmh.        15      IN      CNAME   m38.qa50.pmh.

@requate Do you know more?

Hi,

indeed, as mentioned above: I am using Samba4 as backend. UCS5 meanwhile.

I could confirm- when using ldap as backend it runs perfectly. As soon as I switch to samba4 as backend (without changing anything else) I am back to the 15 minutes TTL.

/KNEBB

Hi,

within the Samba database it is already stored with the 900 seconds:

root@praxis:~# samba-tool dns query praxis.schule2.de schule.de backuppc ALL -U Administrator
Global parameter smb2 leases found in service section!
Password for [SCHULE2\Administrator]:
  Name=, Records=1, Children=0
    CNAME: backuppc42.schule.de. (flags=f0, serial=1, ttl=900)

man samba-tool does not show any information how to set a TTL to a single record. Is this at least possible in Samba?
Thanks a lot!

/KNEBB

Hi

I just realized there is already a bug open to this.
Bugzilla.

Hopefulyl this will be fixed soon…

/KNEBB

Hi, ok, glad you found the bug which has a patch. Unfortunately samba-tool doesn’t (yet) support setting the TTLs manually. During research for that bug I made the following notes to find out if the default TTL for DNS records updated by Windows clients can be changed on the client side. I had the impression that there may be a Windows registry key, but if that’s of interest for you, more research would be required, as apparently the key changed during the course of history… Anyway, I’ll leave these links here, maybe they help:

• https://serverfault.com/questions/488649/default-ttls-in-windows-dns

• via https://www.google.com/search?q=active+directory+dns+ttl+default+registry&oq=active+directory+dns+ttl+default+registry

• Alternativ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc937920(v=technet.10)?redirectedfrom=MSDN

• https://social.technet.microsoft.com/Forums/en-US/36f0ec61-c9c3-475a-a1f8-a6c45cb8deb7/alter-default-ttl-for-dynamically-registered-dns-records-for-2012-r2-servers?forum=winserveripamdhcpdns

• https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DNSClient::DNS_RegistrationTtl

The TTLs can be specified by DDNS clients, e.g. via nsupdate, but AFAIK that would require delete+add for each individual record, which sucks. Even more so, if the windows clients reset it during the next update…

Hi Arvid,

thanks for that. Even though it is not my concern about the Windows clients. I do not care about them. I want to create a DNS CNAME through udm with a very short TTL in order to be able to switch services.

My issue is not really related to Windows. Just because the S4-connector takes a different default value it hits me.

Will the patch be included in a forseeable future?

Thanks& Greetings

/KNEBB

I’ve added it to the “bugsquashing” track on the Kanban board of the dev team I’m part of, so we have it on the radar.