nsupdate failure after DNS migration because of capitals letters in SOA
Stefan Rompf
stefan at loplof.de
Sat Oct 26 02:52:20 MDT 2013
Hi,
after migrating to the internal DNS backend of samba 4.0.9 I have experienced
an interesting failure scenario:
-DNS updates sent by windows boxes are accepted and correctly added to the
zone by the samba server
-DNS updates send by other samba servers constantly failed
Google didn't gave me any obvious hints but after some debugging I found that
the dnsupdate script put the DC hostname into the SOA origin using capital
letters (KDC.ads.xxxxxxxx.de). This caused a failure of the nsupdate command
that can be reproduced using the following command sequence:
kinit Administrator
nsupdate -g -d -D
> realm ADS.XXXXXXXX.DE
> zone ads.xxxxxxxx.de
> update add bla.ads.xxxxxxxx.de 900 IN A 1.2.3.4
> send
Excerpt nsupdate's debugging output:
Reply from SOA query:
;; ANSWER SECTION:
ads.xxxxxxxx.de. 3600 IN SOA KDC.ads.xxxxxxxx.de.
hostmaster.ads.xxxxxxxx.de. 55 900 600 86400 0
Found zone name: ads.xxxxxxxx.de
The master is: KDC.ads.xxxxxxxx.de
Key query:
;; QUESTION SECTION:
;1072752670.sig-KDC.ads.xxxxxxxx.de. ANY TKEY
Key answer:
;; ANSWER SECTION:
1072752670.sig-KDC.ads.novensis.de. 0 ANY TKEY gss-tsig. 1382773007
1382773007 3 NOERROR 182 [key omitted]
Outgoing update query:
;; ZONE SECTION:
;ads.xxxxxxxx.de. IN SOA
;; UPDATE SECTION:
bla.ads.xxxxxxxx.de. 900 IN A 1.2.3.4
;; TSIG PSEUDOSECTION:
1072752670.sig-kdc.ads.xxxxxxxx.de. 0 ANY TSIG gss-tsig. 1382773007 300 28
[key omitted]
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: FORMERR, id: 63759
As you can see, nsupdate requests sig-KDC, but sends sig-kdc afterwards. This
causes the update to fail with FORMERR. klist also shows the hostname of the
ticket in capital letters:
10/26/13 09:37:57 10/26/13 19:32:03 DNS/KDC.ads.xxxxxxxx.de at ADS.XXXXXXXX.DE
renew until 10/27/13 08:30:51
After changing SOA origin record to lowercase the update works:
Reply from SOA query:
;; ANSWER SECTION:
ads.xxxxxxxx.de. 3600 IN SOA kdc.ads.xxxxxxxx.de.
hostmaster.ads.xxxxxxxx.de. 55 900 600 86400 0
Found zone name: ads.xxxxxxxx.de
The master is: kdc.ads.xxxxxxxx.de
Key query:
;; QUESTION SECTION:
;3353613999.sig-kdc.ads.xxxxxxxx.de. ANY TKEY
Key answer:
;; ANSWER SECTION:
3353613999.sig-kdc.ads.xxxxxxxx.de. 0 ANY TKEY gss-tsig. 1382773320
1382773320 3 NOERROR 182 [key omitted]
Outgoing update query:
;; ZONE SECTION:
;ads.xxxxxxxx.de. IN SOA
;; UPDATE SECTION:
bla.ads.xxxxxxxx.de. 900 IN A 1.2.3.4
;; TSIG PSEUDOSECTION:
3353613999.sig-kdc.ads.xxxxxxxx.de. 0 ANY TSIG gss-tsig. 1382773320 300 28
[key omitted]
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 20284
The ticket now uses the lowercase hostname, too:
10/26/13 09:43:10 10/26/13 19:32:03 DNS/kdc.ads.novensis.de at ADS.NOVENSIS.DE
renew until 10/27/13 08:30:51
I have not yet checked whether this interaction is a bind bug or why dnsupdate
has created a SOA record with capital hostname in the first place. But maybe
the information is already useful for somebody.
Does it make sense that dnsupdate converts the SOA origin to lowercase or
warns on capital letters?
Stefan
More information about the samba-technical
mailing list