On 26/07/10 16:56, Cory Coager wrote:
'nsupdate -g' responds with 'dns_request_getresponse: FORMERR'
Sorry then. I don't know. Personally I can't make nsupdate work at all
with GSSAPI; I get:
dns_tkey_buildgssquery failed: ran out of space
...before it even tries to talk to the network. I have to use a
home-grown tool (I also don't have access to a win2k8 r2 DNS server to
test against...)
You could try tcpdump/wireshark - figure out whether the issue is the
TKEY negotiation of the GSSAPI context or the TSIG update. In a
successful attempt you should see:
C: query name=1234-56.xxxxx IN TKEY
additional name=1234-56.xxxxx ANY TKEY <payload=gssapi>
S: answer name=1234-56.xxxxx ANY TKEY <payload=gssapi resp.>
C: update <fields>
additional name=1234-56.xxxxx ANY TSIG <payload=gssapi mic>
C: update response
additional name=1234-56.xxxxx ANY TSIG <payload=gssapi mic>
You might have a look at "klist" just before the attempt (do a "kinit"
to zero out your cached tickets) and afterwards to check that you are
getting the right ticket. As always with kerberos, DNS and NTP setup are
vital to get this working.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
