nsupdate failure after DNS migration because of capitals letters in SOA

Matthieu Patou mat at samba.org
Sun Oct 27 12:29:34 MDT 2013 

You might want to file a ticket in bugzilla.samba.org

So that this issue can be tracked and resolved.

Matthieu
On 10/26/2013 01:52 AM, Stefan Rompf wrote:
> Hi,
>
> after migrating to the internal DNS backend of samba 4.0.9 I have experienced
> an interesting failure scenario:
> -DNS updates sent by windows boxes are accepted and correctly added to the
> zone by the samba server
> -DNS updates send by other samba servers constantly failed
>
> Google didn't gave me any obvious hints but after some debugging I found that
> the dnsupdate script put the DC hostname into the SOA origin using capital
> letters (KDC.ads.xxxxxxxx.de). This caused a failure of the nsupdate command
> that can be reproduced using the following command sequence:
>
> kinit Administrator
>
> nsupdate -g -d -D
>> realm ADS.XXXXXXXX.DE
>> zone ads.xxxxxxxx.de
>> update add bla.ads.xxxxxxxx.de 900 IN A 1.2.3.4
>> send
> Excerpt nsupdate's debugging output:
>
> Reply from SOA query:
> ;; ANSWER SECTION:
> ads.xxxxxxxx.de.	3600	IN	SOA	KDC.ads.xxxxxxxx.de.
> hostmaster.ads.xxxxxxxx.de. 55 900 600 86400 0
>
> Found zone name: ads.xxxxxxxx.de
> The master is: KDC.ads.xxxxxxxx.de
>
> Key query:
> ;; QUESTION SECTION:
> ;1072752670.sig-KDC.ads.xxxxxxxx.de. ANY	TKEY
>
> Key answer:
> ;; ANSWER SECTION:
> 1072752670.sig-KDC.ads.novensis.de. 0 ANY TKEY  gss-tsig. 1382773007
> 1382773007 3 NOERROR 182 [key omitted]
>
> Outgoing update query:
> ;; ZONE SECTION:
> ;ads.xxxxxxxx.de.		IN	SOA
> ;; UPDATE SECTION:
> bla.ads.xxxxxxxx.de.	900	IN	A	1.2.3.4
> ;; TSIG PSEUDOSECTION:
> 1072752670.sig-kdc.ads.xxxxxxxx.de. 0 ANY TSIG	gss-tsig. 1382773007 300 28
> [key omitted]
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: FORMERR, id:  63759
>
> As you can see, nsupdate requests sig-KDC, but sends sig-kdc afterwards. This
> causes the update to fail with FORMERR. klist also shows the hostname of the
> ticket in capital letters:
>
> 10/26/13 09:37:57  10/26/13 19:32:03  DNS/KDC.ads.xxxxxxxx.de at ADS.XXXXXXXX.DE
>          renew until 10/27/13 08:30:51
> 	
> After changing SOA origin record to lowercase the update works:
>
> Reply from SOA query:
> ;; ANSWER SECTION:
> ads.xxxxxxxx.de.	3600	IN	SOA	kdc.ads.xxxxxxxx.de.
> hostmaster.ads.xxxxxxxx.de. 55 900 600 86400 0
>
> Found zone name: ads.xxxxxxxx.de
> The master is: kdc.ads.xxxxxxxx.de
>
> Key query:
> ;; QUESTION SECTION:
> ;3353613999.sig-kdc.ads.xxxxxxxx.de. ANY	TKEY
>
> Key answer:
> ;; ANSWER SECTION:
> 3353613999.sig-kdc.ads.xxxxxxxx.de. 0 ANY TKEY	gss-tsig. 1382773320
> 1382773320 3 NOERROR 182 [key omitted]
>
> Outgoing update query:
> ;; ZONE SECTION:
> ;ads.xxxxxxxx.de.		IN	SOA
> ;; UPDATE SECTION:
> bla.ads.xxxxxxxx.de.	900	IN	A	1.2.3.4
> ;; TSIG PSEUDOSECTION:
> 3353613999.sig-kdc.ads.xxxxxxxx.de. 0 ANY TSIG	gss-tsig. 1382773320 300 28
> [key omitted]
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  20284
>
> The ticket now uses the lowercase hostname, too:
> 10/26/13 09:43:10  10/26/13 19:32:03  DNS/kdc.ads.novensis.de at ADS.NOVENSIS.DE
>          renew until 10/27/13 08:30:51
>
> I have not yet checked whether this interaction is a bind bug or why dnsupdate
> has created a SOA record with capital hostname in the first place. But maybe
> the information is already useful for somebody.
>
> Does it make sense that dnsupdate converts the SOA origin to lowercase or
> warns on capital letters?
>
> Stefan


-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list