nsupdate failure after DNS migration because of capitals letters in SOA
steve
steve at steve-ss.com
Sat Oct 26 06:41:55 MDT 2013
On Sat, 2013-10-26 at 10:52 +0200, Stefan Rompf wrote:
> Hi,
>
> after migrating to the internal DNS backend of samba 4.0.9 I have experienced
> an interesting failure scenario:
> -DNS updates sent by windows boxes are accepted and correctly added to the
> zone by the samba server
> -DNS updates send by other samba servers constantly failed
>
> Google didn't gave me any obvious hints but after some debugging I found that
> the dnsupdate script put the DC hostname into the SOA origin using capital
> letters (KDC.ads.xxxxxxxx.de). This caused a failure of the nsupdate command
> that can be reproduced using the following command sequence:
>
> kinit Administrator
>
> nsupdate -g -d -D
> > realm ADS.XXXXXXXX.DE
> > zone ads.xxxxxxxx.de
> > update add bla.ads.xxxxxxxx.de 900 IN A 1.2.3.4
> > send
>
> Excerpt nsupdate's debugging output:
>
> Reply from SOA query:
> ;; ANSWER SECTION:
> ads.xxxxxxxx.de. 3600 IN SOA KDC.ads.xxxxxxxx.de.
> hostmaster.ads.xxxxxxxx.de. 55 900 600 86400 0
>
> Found zone name: ads.xxxxxxxx.de
> The master is: KDC.ads.xxxxxxxx.de
>
> Key query:
> ;; QUESTION SECTION:
> ;1072752670.sig-KDC.ads.xxxxxxxx.de. ANY TKEY
>
> Key answer:
> ;; ANSWER SECTION:
> 1072752670.sig-KDC.ads.novensis.de. 0 ANY TKEY gss-tsig. 1382773007
> 1382773007 3 NOERROR 182 [key omitted]
>
> Outgoing update query:
> ;; ZONE SECTION:
> ;ads.xxxxxxxx.de. IN SOA
> ;; UPDATE SECTION:
> bla.ads.xxxxxxxx.de. 900 IN A 1.2.3.4
> ;; TSIG PSEUDOSECTION:
> 1072752670.sig-kdc.ads.xxxxxxxx.de. 0 ANY TSIG gss-tsig. 1382773007 300 28
> [key omitted]
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: FORMERR, id: 63759
>
> As you can see, nsupdate requests sig-KDC, but sends sig-kdc afterwards. This
> causes the update to fail with FORMERR. klist also shows the hostname of the
> ticket in capital letters:
>
> 10/26/13 09:37:57 10/26/13 19:32:03 DNS/KDC.ads.xxxxxxxx.de at ADS.XXXXXXXX.DE
> renew until 10/27/13 08:30:51
>
> After changing SOA origin record to lowercase the update works:
>
> Reply from SOA query:
> ;; ANSWER SECTION:
> ads.xxxxxxxx.de. 3600 IN SOA kdc.ads.xxxxxxxx.de.
> hostmaster.ads.xxxxxxxx.de. 55 900 600 86400 0
>
> Found zone name: ads.xxxxxxxx.de
> The master is: kdc.ads.xxxxxxxx.de
>
> Key query:
> ;; QUESTION SECTION:
> ;3353613999.sig-kdc.ads.xxxxxxxx.de. ANY TKEY
>
> Key answer:
> ;; ANSWER SECTION:
> 3353613999.sig-kdc.ads.xxxxxxxx.de. 0 ANY TKEY gss-tsig. 1382773320
> 1382773320 3 NOERROR 182 [key omitted]
>
> Outgoing update query:
> ;; ZONE SECTION:
> ;ads.xxxxxxxx.de. IN SOA
> ;; UPDATE SECTION:
> bla.ads.xxxxxxxx.de. 900 IN A 1.2.3.4
> ;; TSIG PSEUDOSECTION:
> 3353613999.sig-kdc.ads.xxxxxxxx.de. 0 ANY TSIG gss-tsig. 1382773320 300 28
> [key omitted]
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 20284
>
> The ticket now uses the lowercase hostname, too:
> 10/26/13 09:43:10 10/26/13 19:32:03 DNS/kdc.ads.novensis.de at ADS.NOVENSIS.DE
> renew until 10/27/13 08:30:51
>
> I have not yet checked whether this interaction is a bind bug or why dnsupdate
> has created a SOA record with capital hostname in the first place. But maybe
> the information is already useful for somebody.
>
> Does it make sense that dnsupdate converts the SOA origin to lowercase or
> warns on capital letters?
>
> Stefan
Hi
We run sssd on our Linux clients and file servers. This looks after the
dns updates out of the box. Or at least we've not experienced the case
problems you mention. Maybe have a quick look at how sssd does it?
HTH
Steve
More information about the samba-technical
mailing list