[Samba] Strange problem with ddns AAAA delete

Nico Speelman nico at speelmanrobben.nl
Wed Jan 8 07:17:33 MST 2014


I encountered the same problems on my Debian Testing machine with Bind
9.8.4 and Samba 4.1.3 for AAAA records. The corresponding PTR and A
records can be deleted through nsupdate, but AAAA records show errors.

See below for my example, nsupdate debug info and bind.log. Domain info
and IPv6 addresses are redacted.

Downgrading to Samba 4.0.11 shows no solution. And the only solution is
to remove the AAAA record through samba-tool.

Best regards,
Nico Speelman

Example:
kinit -k -t "/etc/krb5.dhcpd.keytab" "dns-update at EXAMPLE.COM"
root at zeus:~# nsupdate -g -d << UPDATE
>zone example.com
>update delete test.example.com. AAAA
>send
>UPDATE
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62502
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;example.com.             IN      SOA

;; ANSWER SECTION:
example.com.      3600    IN      SOA     zeus.example.com. hostmaster at example.com. 71 900 600 86400 0

;; AUTHORITY SECTION:
example.com.      900     IN      NS      zeus.example.com.

;; ADDITIONAL SECTION:
zeus.example.com. 900     IN      A       10.0.0.2
zeus.example.com. 900     IN      AAAA    <redacted>::2

Found zone name: example.com
The master is: zeus.example.com
start_gssrequest
Found realm from ticket: EXAMPLE.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  17277
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2030484513.sig-zeus.example.com. ANY TKEY

;; ADDITIONAL SECTION:
2030484513.sig-zeus.example.com. 0 ANY TKEY gss-tsig. 1389189213 1389189213 3 NOERROR 1334 YIIFMgYGKwYBBQUCoIIFJjCCBSKgDTALBgkqhkiG9xIBAgKiggUPBIIF C2CCBQcGCSqGSIb3EgECAgEAboIE9jCCBPKgAwIBBaEDAgEOogcDBQAg AAAAo4ID6GGCA+QwggPgoAMCAQWhExsRU1BFRUxNQU5ST0JCRU4uTkyi KDAmoAMCAQGhHzAdGwNETlMbFnpldXMuc3BlZWxtYW5yb2JiZW4ubmyj ggOYMIIDlKADAgEXoQMCAQGiggOGBIIDgmsON8wxoSZg5XB4/DKoReUo yzxLQvrnCqA6IO2EyOQAUT0UotfWTQ0y32pCbvOKKXkAAzgbo/Q1imnF 1KiZaVKzqq6VdO+g+WxssBYVE2SElpU3h3vz9HXvDswSoq9ZyVEla44f dbFCgjvebRPkK/Hn8Sbt05Ji3mwGhEflW1bDo40X/OojBUWYMzKxtkxK hagWP+9h2u8whUV9Law/SONFqSrovasCrxD7qMIHLCFFYD3T7TTqUeKp tpGmIO8hSczqHH1R3gXzWvKOf9EmhQNeuJdF99gHyd+UjXxMqXf14fWQ wVDS/C5l3JYxOyogm19yThHvmlcXl7AdGADUuA5EgvqzgNw4ldZwC4u8 lBqgT+9lSxp1iz8Yub0408CBWY+kDNobJhIJeCMLCsH8aj2McauCgzKh Rm/89h3sbtqy9pDuC6auI/HI6e7uDDaSUOZD7SyjAJVG1xrt3MEAmQJJ uuvJ352EIFT21mpNBxY6WGU11oVvOSsrfaDxR8e5FbIUkbcRuh6yNzza UWn6J5eye4tEZUBThgauwV+YdLNdolOMdqLtCEo5JNfpWGlACsv+fqWE NCpZgtstYITnuqHLp0v5dQBQtCytnOe/LVDdDyEzBTc+KHPfbrDkU+ox zTZPSA4zRGVvscxgYzn7Mifs7xLExdFWgnYUe+pXO/A8tCP4L1kDU8eQ 3mqm1KeOwxAATa10uLY0k0XMtnnnSCVRpgZ4+eB2+JIdZD4OIBRP3JSA 67BgsYTjxCykprs8z3mtaIjvpYHAAwdj//yrsj1UpeZne624DlZlRIHM RZNkQZBF3s7NufUG8FMWJ1TkPXOLH5tGpvP+3JT9/nxFfZ61ffLfVjVk ebK0ZPYYrlp9eq+FynPPMbMBjFucqssys4e3zx7uBbW+CbpKQoy0TOYk GgWDFh2mZVzNNEe0eTsXQjzOHAiC3Ja6icAe7r5QGW0mwfuA4qB4BEIn amo21mxyq9D7IpB0oyk5MUEJ17yF0QLrTuKXMRCuRv902xLaJVgrkeiF 6jiiGixBYs2BdAlBP4x+/Nr9Ui/9TpIqEQZxGaOkfxCih0IyNB0MeDT0 ol6H1G8DpUzfQyub4DDpvrgbuXwPjZ8tcgTNh0jkEfEx7+3sH05OUGbD EGap6R2kRL6nXYbquzvNZX0saGcW3NpFC/2LXfvp53H+I50MOdTSb3+k gfAwge2gAwIBF6KB5QSB4m/deyXULCy2+W8rkGjYDBUTQRAUFybgmghu iE023YkIEbwI1LHxLPlXtmKzRm0yQ1RkGAwnemDQn3mTef9WbkZHvo6K pdGugDRgbcx+9XKLiyYZRG7I1kyvTFmhi+GpF6TQsOt8LlLSW0vM3VSv kgy7CqdMq4qTajRLlmBmhTcNYT6aFI9md0xyP4ShSvX8PehsOXQMjSIW Y1rDXegTsoemF4M2TNk7AzI5Ehse2dMx3FRz9xhGitn/rNQ2mQOEaf45 bytaxzdmm9bdzk6FAf2sDPvOZWW6qorHCOINL+OQI8U= 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  17277
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2030484513.sig-zeus.example.com. ANY TKEY

;; ANSWER SECTION:
2030484513.sig-zeus.example.com. 0 ANY TKEY gss-tsig. 1389189213 1389192813 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrzZ49asvshhYi FpTrgwhX/iaPE/nwRdYt1IvTKdRn/MmoYK/xraGXrrRNGdzoXUp8e5F2 NZENixex7gML6rYJciVSooVPYq/k62q9tF4KpH/aC98slpC3YGjBA3fb n/vIbR3HrSwlOb9f84I= 0

Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  12629
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.             IN      SOA

;; UPDATE SECTION:
test.example.com. 0       ANY     AAAA

;; TSIG PSEUDOSECTION:
2030484513.sig-zeus.example.com. 0 ANY TSIG gss-tsig. 1389189213 300 28 BAQE//////8AAAAAMc13+SF8EK25E+C2EAqzCg== 12629 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  12629
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.             IN      SOA

;; TSIG PSEUDOSECTION:
2030484513.sig-zeus.example.com. 0 ANY TSIG gss-tsig. 1389189213 300 28 BAQF//////8AAAAADfmtpkMP/Nuloe3Xj3siVA== 12629 NOERROR 0

bind.log excerpt:
08-Jan-2014 14:53:33.364 database: info: samba_dlz: starting transaction on zone example.com
08-Jan-2014 14:53:33.368 database: info: samba_dlz: allowing update of signer=dns-update\@EXAMPLE.COM name=test.example.com tcpaddr=127.0.0.1 type=AAAA key=2030484513.sig-zeus.example.com/160/0
08-Jan-2014 14:53:33.370 database: info: samba_dlz: cancelling transaction on zone example.com



More information about the samba mailing list