stealth server

[Danny Mayer]

Barry Finkel wrote:

> Barry Margolin <barmar at genuity.net> wrote in reply:
>
> > Windows 2000 is now my least favorite piece of Microsoft
> >crapware, as the DNS server that it comes with seems to have a bug that
> >causes serial numbers to drop back occasionally, and we have to notify our
> >customers that zone transfers have stopped (I suspect that when it
> >increments the serial# due to a dynamic DNS change, it doesn't update it in
> >the Registry like it does when you make some other change to the zone, and
> >when the server is rebooted it reverts to the last serial# that was stored
> >there).
>
> I have an open trouble ticket with MS on this serial number issue.
> We were getting serial numbers that reverted to their values of three
> months previous!  The MS engineers have been working for about 6-7
> weeks trying to architect a fix.  I agree with Barry Margolin that
> MS does not save the serial number in the AD or registry (depending
> upon the DNS configuration).  MS uses internal serial numbers and
> timestamps for each object in the AD, so if you are running a
> multi-master AD-integrated DNS with no slaves, then there is no need
> for an SOA serial number.  See Q282826 for details on how the MS code
> updates serial numbers in a multi-master configuration.
>
> MS has told us that when the zone serial number decreases, there is
> no data loss in the zone; it is just the serial number that has \
> decreased.  All of the zone information is retrieved intact from the
> AD.  I have not verified this, as I do not want to corrupt live DNS
> data (and our W2k testbed is not active enough for me to duplicate some
> of the problems I have seen with the MS code).  If you stop the DNS
> process on the W2k DC before a shutdown/reboot, then the serial number
> remains intact.  If you do a clean shutdown/reboot, then the serial
> number is not stored, and the decrease occurs.  I believe that on a
> clean shutdown/reboot there must be contention for the AD, and the
> DNS process cannot store the SOA serial number before the shutdown
> process terminates the DNS process.  I have no idea why the MS code
> does not store the SOA serial number in the AD every time it is
> updated.
>
> As the subject line of the original posting was "stealth server", I
> have another W2k-related comment.  A W2k server cannot be a stealth
> server, as the MS code will add an NS record for the W2k DNS server
> if one does not exist.  If you delete the NS record, the MS code will
> sense the fact and re-add the NS record.
>
> One other related topic that I posted a number of months ago and to
> which I did not receive a definitive answer --  In a W2k multi-master
> AD-integrated environment, each DNS server has its own copy of the
> zone (stored in the AD).  But the SOA record in each copy is
> different; each DNS server has its own name in the SOA as the master.
> Does this violate any DNS RFC?  My feeling is that it probably does,
> as two zones with the same content except the SOA record are NOT the
> same zone, and it is illegal to have a zone on two masters that
> differs.

    I had responded to you about this some months ago.  This is a violation
of RFC 2136, specifically Section 3.6 which describes the required
SOA record serial number behavior. Despite what MS says, there IS data
loss in the zone since the Serial Number is being changed and becomes invalid.
An SOA record is like any other DNS record and ALL of the information in
it MUST be preserved in the same way as all other RR's in the zone.  Can you
imagine an A record having it's IP address decremented?

    Danny