
“The DNS Camel”, or, the rise in DNS complexity - pantalaimon
https://blog.powerdns.com/2018/03/22/the-dns-camel-or-the-rise-in-dns-complexit/
======
lostapathy
In my experience, we're already past the point where DNS is too complex.

I worked with a customer who had a postage meter that refused to work
correctly. After _tons_ of troubleshooting, it turned out the issue is that
the postage company had DNAME records in the mix ... and the DNS server on
that network doesn't support DNAME at all. That troublesome DNS server is the
(then, at least) current version of Samba.

I tried contacting the vendor to report the issue and, in typical fashion, I
don't think I even got a ticket escalated to somebody who understood it. We
put the postage meter on a VLAN with different DNS to work around it.

I've also seen major issues with US government websites advertising AAAA
records for websites that aren't actually available on ipv6 - and again, no
way to report/resolve it, we just disabled ipv6 on the workstation we file
those reports from.

Both experiences made me realize how fragile DNS is, how hard it is to get
anything fixed once you do diagnose it, and that a _lot_ of "flakey" tech
probably suffers from DNS issues outside either the vendor or consumer's
control.

~~~
marcosdumay
Samba shouldn't be trying to deal with records it does not understand, and
those AAAA records aren't exactly a DNS issue.

The Internet has become way too complex lately and DNS gets to carry the
burden of gluing everything together. It may be wise to rethink its role, make
it more general, and stack things on top of it, instead of inside.

~~~
lostapathy
Samba isn't "dealing with" them, it's just dropping them because it doesn't
know anything about them.

~~~
marcosdumay
Dropping them is dealing with them. DNS is an opaque key-value registry, you
get a record from upstream, you store it and repeat to everybody that asks.

~~~
amaccuish
The problem is that Samba 4 has to deal with them, since it will look them up
in ldb, and if they're not there, forward them. I guess it doesn't blindly
pass records through that it can't look up in LDAP.

As a side note, although I love AD DNS, MS are so slow to add new record
support. I still can't add SSHFP records to Samba. :(

~~~
gerdesj
You don't have to use the built in DNS server in Samba. You can use BIND -
[https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End](https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End)
and
[https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_o...](https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC)

~~~
amaccuish
Ye, I find the inbuilt one more reliable, and i've seen a ppt which says
bind_dlz is a horrible hack and they'll stop it at some point. Also that
doesn't affect what record types can be stored and manipulated in AD.

~~~
gerdesj
I've seen a similar thing ("and they'll stop it at some point"). If you need
DNS functionality beyond the Samba implementation then I would suggest having
a separate BIND or PDNS server that all clients point at and that collates the
DNS view that you wish them to have. A GPO will get them to update records on
your Samba DNS and your PDNS or BIND or whatever can do the rest.

~~~
amaccuish
Nice thinking. I'll give that a think, thanks!

------
davidu
This is underrated. Bert is so reasonable, and the DNS is so brittle. Worth
really saying, hey, "who is benefitting" with many of the new proposals.

~~~
marmot777
The proposals seem to be about tapping the breaks. Good idea. It’s not good to
leave so many people hopelessly in the dust.

His way of framing the cost/benefit analyses in terms of who bears the costs
and who receives the benefits seems sound. It’s nit enough for something to
have benefits.

------
EB66
Interesting the see that the BGP WGs take such a different approach. Both DNS
and BGP fill a similar essential role, you'd think that they would develop new
standards in a similar fashion.

------
marmot777
Yes, since things like DNSSEC, DNS has become more complex for sure.

------
clankfan
I feel like tying ips to a name and tying accounts to real people or to each
other should be handled by the same entity. It could be called identity
services. We need more centralized, simplified and potent identity services

------
based2
and netbios in the mix

