DLZ module function "dlz_allowzonexfr" is not always called by bind
Summary
By default, when a zone transfer requests is made for a zone managed by a DLZ module, the module's "dlz_allnodes" function is called immediately, and the result sent to the client, whatever it's IP address.
When bind is reloaded (using the "rndc reload" call), the module's "dlz_allowzonexfr" function is called first, and if it returns "ISC_R_SUCCESS" the "dlz_allnodes" function is called.
This later behaviour is the expected/documented one as far as I understand.
BIND version used
BIND 9.10.3-P4-Debian id:ebd72b3 built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' compiled by GCC 6.3.0 20170516 compiled with OpenSSL version: OpenSSL 1.0.2l 25 May 2017 linked to OpenSSL version: OpenSSL 1.0.2l 25 May 2017 compiled with libxml2 version: 2.9.4 linked to libxml2 version: 20904
Steps to reproduce
I found this bug while working on the dlz_allowzonexfr function for the Samba dlz module. Adding logs to the dlz_allnodes and dlz_allownexfr functions put the bug in evidence: on normal start, bind9 does not call the dlz_allownexfr. After a reload, it does.
NOTE: up to now, samba dlz module always returned ISC_R_SUCCESS. I'm working on changing this behaviour and return ISC_R_SUCCESS selectively, based on a list of authorized IPs configured on the samba side (see merge request for the samba project here: https://gitlab.com/samba-team/samba/merge_requests/169). I found this issue while testing my patch.
What is the current bug behavior?
Bind does not call the dlz_allowzonexfr function by default. You need to reload it to have it call that function.
What is the expected correct behavior?
Bind should always call the "dlz_allowzonexfr" function, and call dlz_allnodes only if dlz_allowzonexfr returns success.
Relevant logs and/or screenshots
Initial start of bind:
Dec 20 08:51:24 sambarwdc named[57]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -u bind
Dec 20 08:51:24 sambarwdc named[57]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Dec 20 08:51:24 sambarwdc named[57]: ----------------------------------------------------
Dec 20 08:51:24 sambarwdc named[57]: BIND 9 is maintained by Internet Systems Consortium,
Dec 20 08:51:24 sambarwdc named[57]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Dec 20 08:51:24 sambarwdc named[57]: corporation. Support and training for BIND 9 are
Dec 20 08:51:24 sambarwdc named[57]: available at https://www.isc.org/support
Dec 20 08:51:24 sambarwdc named[57]: ----------------------------------------------------
Dec 20 08:51:24 sambarwdc named[57]: found 8 CPUs, using 8 worker threads
Dec 20 08:51:24 sambarwdc named[57]: using 4 UDP listeners per interface
Dec 20 08:51:24 sambarwdc named[57]: using up to 4096 sockets
Dec 20 08:51:24 sambarwdc named[57]: loading configuration from '/etc/bind/named.conf'
Dec 20 08:51:24 sambarwdc named[57]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Dec 20 08:51:24 sambarwdc named[57]: initializing GeoIP Country (IPv4) (type 1) DB
Dec 20 08:51:24 sambarwdc named[57]: GEO-106FREE 20170512 Bu
Dec 20 08:51:24 sambarwdc named[57]: initializing GeoIP Country (IPv6) (type 12) DB
Dec 20 08:51:24 sambarwdc named[57]: GEO-106FREE 20170512 Bu
Dec 20 08:51:24 sambarwdc named[57]: GeoIP City (IPv4) (type 2) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP City (IPv4) (type 6) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP City (IPv6) (type 30) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP City (IPv6) (type 31) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP Region (type 3) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP Region (type 7) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP ISP (type 4) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP Org (type 5) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP AS (type 9) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP Domain (type 11) DB not available
Dec 20 08:51:24 sambarwdc named[57]: GeoIP NetSpeed (type 10) DB not available
Dec 20 08:51:24 sambarwdc named[57]: using default UDP/IPv4 port range: [32768, 60999]
Dec 20 08:51:24 sambarwdc named[57]: using default UDP/IPv6 port range: [32768, 60999]
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv6 interfaces, port 53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface wlp2s0, 192.168.0.20#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface enxe04f435b270a, 192.168.0.101#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface tap0, 10.75.246.12#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface br-82f9cfdd76ba, 192.168.42.1#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface docker0, 192.168.16.1#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface br-c702a6bc6088, 192.168.48.1#53
Dec 20 08:51:24 sambarwdc named[57]: listening on IPv4 interface br-c7f3d6a6651d, 192.168.43.1#53
Dec 20 08:51:24 sambarwdc named[57]: generating session key for dynamic DNS
Dec 20 08:51:24 sambarwdc named[57]: sizing zone task pool based on 5 zones
Dec 20 08:51:24 sambarwdc named[57]: Loading 'samba4' using driver dlopen
Dec 20 08:51:24 sambarwdc named[57]: samba_dlz: started for DN DC=mondomaine,DC=lan
Dec 20 08:51:24 sambarwdc named[57]: samba_dlz: starting configure
Dec 20 08:51:24 sambarwdc named[57]: samba_dlz: configured writeable zone 'mondomaine.lan'
Dec 20 08:51:24 sambarwdc named[57]: samba_dlz: configured writeable zone '_msdcs.mondomaine.lan'
Dec 20 08:51:24 sambarwdc named[57]: using built-in root key for view _default
Dec 20 08:51:24 sambarwdc named[57]: set up managed keys zone for view _default, file 'managed-keys.bind'
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 10.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 16.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 17.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 18.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 19.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 20.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 21.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 22.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 23.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 24.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 25.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 26.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 27.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 28.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 29.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 30.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 31.172.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 168.192.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 64.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 65.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 66.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 67.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 68.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 69.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 70.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 71.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 72.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 73.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 74.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 75.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 76.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 77.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 78.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 79.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 80.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 81.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 82.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 83.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 84.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 85.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 86.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 87.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 88.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 89.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 90.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 91.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 92.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 93.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 94.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 95.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 96.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 97.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 98.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 99.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 100.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 101.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 102.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 103.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 104.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 105.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 106.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 107.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 108.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 109.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 110.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 111.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 112.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 113.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 114.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 115.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 116.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 117.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 118.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 119.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 120.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 121.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 122.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 123.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 124.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 125.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 126.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 127.100.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: D.F.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: A.E.F.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: B.E.F.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 20 08:51:24 sambarwdc named[57]: automatic empty zone: EMPTY.AS112.ARPA
Dec 20 08:51:24 sambarwdc named[57]: configuring command channel from '/etc/bind/rndc.key'
Dec 20 08:51:24 sambarwdc named[57]: command channel listening on 127.0.0.1#953
Dec 20 08:51:24 sambarwdc named[57]: configuring command channel from '/etc/bind/rndc.key'
Dec 20 08:51:24 sambarwdc named[57]: command channel listening on ::1#953
Dec 20 08:51:24 sambarwdc named[57]: managed-keys-zone: journal file is out of date: removing journal file
Dec 20 08:51:24 sambarwdc named[57]: managed-keys-zone: loaded serial 27
Dec 20 08:51:24 sambarwdc named[57]: zone 0.in-addr.arpa/IN: loaded serial 1
Dec 20 08:51:24 sambarwdc named[57]: zone 127.in-addr.arpa/IN: loaded serial 1
Dec 20 08:51:24 sambarwdc named[57]: zone 255.in-addr.arpa/IN: loaded serial 1
Dec 20 08:51:24 sambarwdc named[57]: zone localhost/IN: loaded serial 2
Dec 20 08:51:24 sambarwdc named[57]: all zones loaded
Dec 20 08:51:24 sambarwdc named[57]: running
Dec 20 08:55:55 sambarwdc named[57]: samba_dlz: called dlz_allnodes
Dec 20 08:55:55 sambarwdc named[57]: client 127.0.0.1#46023 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR started (serial 4327)
Dec 20 08:55:55 sambarwdc named[57]: client 127.0.0.1#46023 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR ended
Dec 20 08:56:58 sambarwdc named[57]: samba_dlz: called dlz_allnodes
Dec 20 08:56:58 sambarwdc named[57]: client 192.168.0.23#39075 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR started (serial 4327)
Dec 20 08:56:58 sambarwdc named[57]: client 192.168.0.23#39075 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR ended
Make zone transfer requests, one from an authorized IP (127.0.0.1), then from a non-authorized IP (192.168.0.23). Both are accepted. I added logs to the samba DLZ module to show which functions are called: you can see only the dlz_allnodes function is called.
Dec 20 08:55:55 sambarwdc named[57]: samba_dlz: called dlz_allnodes
Dec 20 08:55:55 sambarwdc named[57]: client 127.0.0.1#46023 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR started (serial 4327)
Dec 20 08:55:55 sambarwdc named[57]: client 127.0.0.1#46023 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR ended
Dec 20 08:56:58 sambarwdc named[57]: samba_dlz: called dlz_allnodes
Dec 20 08:56:58 sambarwdc named[57]: client 192.168.0.23#39075 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR started (serial 4327)
Dec 20 08:56:58 sambarwdc named[57]: client 192.168.0.23#39075 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR ended
At this point, I made a "service bind9 reload" - from the init.d script, this result in a call to "/usr/sbin/rndc reload"
Dec 20 08:57:10 sambarwdc named[57]: received control channel command 'reload'
Dec 20 08:57:10 sambarwdc named[57]: loading configuration from '/etc/bind/named.conf'
Dec 20 08:57:10 sambarwdc named[57]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Dec 20 08:57:10 sambarwdc named[57]: initializing GeoIP Country (IPv4) (type 1) DB
Dec 20 08:57:10 sambarwdc named[57]: GEO-106FREE 20170512 Bu
Dec 20 08:57:10 sambarwdc named[57]: initializing GeoIP Country (IPv6) (type 12) DB
Dec 20 08:57:10 sambarwdc named[57]: GEO-106FREE 20170512 Bu
Dec 20 08:57:10 sambarwdc named[57]: GeoIP City (IPv4) (type 2) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP City (IPv4) (type 6) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP City (IPv6) (type 30) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP City (IPv6) (type 31) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP Region (type 3) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP Region (type 7) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP ISP (type 4) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP Org (type 5) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP AS (type 9) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP Domain (type 11) DB not available
Dec 20 08:57:10 sambarwdc named[57]: GeoIP NetSpeed (type 10) DB not available
Dec 20 08:57:10 sambarwdc named[57]: using default UDP/IPv4 port range: [32768, 60999]
Dec 20 08:57:10 sambarwdc named[57]: using default UDP/IPv6 port range: [32768, 60999]
Dec 20 08:57:10 sambarwdc named[57]: sizing zone task pool based on 5 zones
Dec 20 08:57:10 sambarwdc named[57]: Loading 'samba4' using driver dlopen
Dec 20 08:57:10 sambarwdc named[57]: samba_dlz: starting configure
Dec 20 08:57:10 sambarwdc named[57]: samba_dlz: Ignoring duplicate zone 'mondomaine.lan' from 'DC=@,DC=mondomaine.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mondomaine,DC=lan'
Dec 20 08:57:10 sambarwdc named[57]: samba_dlz: Ignoring duplicate zone '_msdcs.mondomaine.lan' from 'DC=@,DC=_msdcs.mondomaine.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mondomaine,DC=lan'
Dec 20 08:57:10 sambarwdc named[57]: using built-in root key for view _default
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 10.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 16.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 17.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 18.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 19.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 20.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 21.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 22.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 23.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 24.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 25.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 26.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 27.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 28.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 29.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 30.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 31.172.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 168.192.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 64.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 65.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 66.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 67.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 68.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 69.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 70.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 71.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 72.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 73.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 74.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 75.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 76.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 77.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 78.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 79.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 80.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 81.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 82.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 83.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 84.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 85.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 86.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 87.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 88.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 89.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 90.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 91.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 92.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 93.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 94.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 95.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 96.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 97.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 98.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 99.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 100.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 101.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 102.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 103.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 104.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 105.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 106.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 107.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 108.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 109.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 110.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 111.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 112.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 113.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 114.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 115.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 116.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 117.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 118.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 119.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 120.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 121.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 122.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 123.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 124.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 125.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 126.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 127.100.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: D.F.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: A.E.F.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: B.E.F.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 20 08:57:10 sambarwdc named[57]: automatic empty zone: EMPTY.AS112.ARPA
Dec 20 08:57:10 sambarwdc named[57]: configuring command channel from '/etc/bind/rndc.key'
Dec 20 08:57:10 sambarwdc named[57]: configuring command channel from '/etc/bind/rndc.key'
Dec 20 08:57:10 sambarwdc named[57]: zone mondomaine.lan/NONE: (other) removed
Dec 20 08:57:10 sambarwdc named[57]: zone _msdcs.mondomaine.lan/NONE: (other) removed
Dec 20 08:57:10 sambarwdc named[57]: reloading configuration succeeded
Dec 20 08:57:10 sambarwdc named[57]: reloading zones succeeded
Dec 20 08:57:10 sambarwdc named[57]: samba_dlz: shutting down
Dec 20 08:57:10 sambarwdc named[57]: all zones loaded
Dec 20 08:57:10 sambarwdc named[57]: running
Then I performed the same transfer requests from the same IPs. Logs show that this time, the dlz_allowzonexfr is properly called, and the dlz_allnodes function is called only on success - this is the expected behaviour.
Dec 20 08:57:15 sambarwdc named[57]: samba_dlz: dlz_allowzonexfr called
Dec 20 08:57:15 sambarwdc named[57]: samba_dlz: checking if client is authorized for zone transfer
Dec 20 08:57:15 sambarwdc named[57]: samba_dlz: comparing to 127.0.0.1
Dec 20 08:57:15 sambarwdc named[57]: samba_dlz: accepting IP 127.0.0.1
Dec 20 08:57:15 sambarwdc named[57]: samba_dlz: called dlz_allnodes
Dec 20 08:57:15 sambarwdc named[57]: client 127.0.0.1#47463 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR started (serial 4327)
Dec 20 08:57:15 sambarwdc named[57]: client 127.0.0.1#47463 (mondomaine.lan): transfer of 'mondomaine.lan/IN': AXFR ended
Dec 20 08:57:18 sambarwdc named[57]: samba_dlz: dlz_allowzonexfr called
Dec 20 08:57:18 sambarwdc named[57]: samba_dlz: checking if client is authorized for zone transfer
Dec 20 08:57:18 sambarwdc named[57]: samba_dlz: comparing to 127.0.0.1
Dec 20 08:57:18 sambarwdc named[57]: client 192.168.0.23#49335 (mondomaine.lan): zone transfer 'mondomaine.lan/IN' denied
Possible fixes
I am in the process of looking up the code in Bind related to DLZ module calls, but I didn't find a lead yet.