Re: DNS update from Linux to Windows DNS Server

Mon, 26 Jul 2010 10:06:49 -0700 

In tcpdump I see:
Standard query response, Refused

On 07/26/2010 12:16 PM, Phil Mayers wrote:


On 26/07/10 16:56, Cory Coager wrote:
> 'nsupdate -g' responds with 'dns_request_getresponse: FORMERR'

Sorry then. I don't know. Personally I can't make nsupdate work at all
with GSSAPI; I get:

dns_tkey_buildgssquery failed: ran out of space

...before it even tries to talk to the network. I have to use a
home-grown tool (I also don't have access to a win2k8 r2 DNS server to
test against...)


You could try tcpdump/wireshark - figure out whether the issue is the
TKEY negotiation of the GSSAPI context or the TSIG update. In a
successful attempt you should see:

C: query name=1234-56.xxxxx IN TKEY
    additional name=1234-56.xxxxx ANY TKEY <payload=gssapi>
S: answer name=1234-56.xxxxx ANY TKEY <payload=gssapi resp.>
C: update <fields>
    additional name=1234-56.xxxxx ANY TSIG <payload=gssapi mic>
C: update response
    additional name=1234-56.xxxxx ANY TSIG <payload=gssapi mic>

You might have a look at "klist" just before the attempt (do a "kinit"
to zero out your cached tickets) and afterwards to check that you are
getting the right ticket. As always with kerberos, DNS and NTP setup are
vital to get this working.





------------------------------------------------------------------------
The information contained in this communication is intended
only for the use of the recipient(s) named above. It may
contain information that is privileged or confidential, and
may be protected by State and/or Federal Regulations. If
the reader of this message is not the intended recipient,
you are hereby notified that any dissemination,
distribution, or copying of this communication, or any of
its contents, is strictly prohibited. If you have received
this communication in error, please return it to the sender
immediately and delete the original message and any copy
of it from your computer system. If you have any questions
concerning this message, please contact the sender.
------------------------------------------------------------------------


_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





















					Reply via email to