19 comments

[ 31.3 ms ] story [ 2422 ms ] thread
This is underrated. Bert is so reasonable, and the DNS is so brittle. Worth really saying, hey, "who is benefitting" with many of the new proposals.
The proposals seem to be about tapping the breaks. Good idea. It’s not good to leave so many people hopelessly in the dust.

His way of framing the cost/benefit analyses in terms of who bears the costs and who receives the benefits seems sound. It’s nit enough for something to have benefits.

Thanks David :-) Sadly though, while the 'DNS Camel' has caught a lot of attention, it hasn't helped one bit. As Robert Edmonds put it so well '"What should we do instead?" "Nothing" tends not to be too well received by those who get paid for doing something' https://twitter.com/rsedmonds/status/1029041197921329152
In my experience, we're already past the point where DNS is too complex.

I worked with a customer who had a postage meter that refused to work correctly. After tons of troubleshooting, it turned out the issue is that the postage company had DNAME records in the mix ... and the DNS server on that network doesn't support DNAME at all. That troublesome DNS server is the (then, at least) current version of Samba.

I tried contacting the vendor to report the issue and, in typical fashion, I don't think I even got a ticket escalated to somebody who understood it. We put the postage meter on a VLAN with different DNS to work around it.

I've also seen major issues with US government websites advertising AAAA records for websites that aren't actually available on ipv6 - and again, no way to report/resolve it, we just disabled ipv6 on the workstation we file those reports from.

Both experiences made me realize how fragile DNS is, how hard it is to get anything fixed once you do diagnose it, and that a lot of "flakey" tech probably suffers from DNS issues outside either the vendor or consumer's control.

Samba shouldn't be trying to deal with records it does not understand, and those AAAA records aren't exactly a DNS issue.

The Internet has become way too complex lately and DNS gets to carry the burden of gluing everything together. It may be wise to rethink its role, make it more general, and stack things on top of it, instead of inside.

Samba isn't "dealing with" them, it's just dropping them because it doesn't know anything about them.
Dropping them is dealing with them. DNS is an opaque key-value registry, you get a record from upstream, you store it and repeat to everybody that asks.
The problem is that Samba 4 has to deal with them, since it will look them up in ldb, and if they're not there, forward them. I guess it doesn't blindly pass records through that it can't look up in LDAP.

As a side note, although I love AD DNS, MS are so slow to add new record support. I still can't add SSHFP records to Samba. :(

You don't have to use the built in DNS server in Samba. You can use BIND - https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End and https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_o...
Ye, I find the inbuilt one more reliable, and i've seen a ppt which says bind_dlz is a horrible hack and they'll stop it at some point. Also that doesn't affect what record types can be stored and manipulated in AD.
I've seen a similar thing ("and they'll stop it at some point"). If you need DNS functionality beyond the Samba implementation then I would suggest having a separate BIND or PDNS server that all clients point at and that collates the DNS view that you wish them to have. A GPO will get them to update records on your Samba DNS and your PDNS or BIND or whatever can do the rest.
Nice thinking. I'll give that a think, thanks!
That makes sense. In theory LDAP is also an opaque key-value registry, but in practice Windows AD is so perverted that one has to interpret everything there.

I can understand how Samba had no other option. Still, it's hard to blame this one on DNS complexity.

Ye I guess from their point of view, they don't want to start diverging from Microsoft, which means they're frequently restricted to what Microsoft does.
Yes, since things like DNSSEC, DNS has become more complex for sure.
Interesting the see that the BGP WGs take such a different approach. Both DNS and BGP fill a similar essential role, you'd think that they would develop new standards in a similar fashion.
I feel like tying ips to a name and tying accounts to real people or to each other should be handled by the same entity. It could be called identity services. We need more centralized, simplified and potent identity services
and netbios in the mix