BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with GSS-TSIG

Fri Aug 31 18:45:18 UTC 2007

David Holder napsal(a):
> Danny,
> Network trace attached for failure.
>
> This might be obvious but:
> 192.168.100.101 Windows Server 2003 AD DC
> 192.168.100.100 FC7 Client with BIND 9.5
>
> I got exactly the same results using the nsupdate -g and nsupdate -o.
>
> Let me know if you need anything else. I am holiday for two weeks from
> tomorrow but I will be attempting to pick up email.
>
> Regards,
> David
> ==================================================================
> Dr David Holder CEng FIET MIEEE
> Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT
> Reception: +44 (0)1422 207000
> Direct Dial: +44 (0)131 2026317
> Cell: +44 (0) 7768 456831
>
> Registered in England and Wales. Registered Number 3521142
> VAT Number: GB 698 3633 78
>
>
> -----Original Message-----
> From: Danny Mayer [mailto:mayer at gis.net] 
> Sent: 20 August 2007 00:26
> To: David Holder
> Cc: bind-users at isc.org
> Subject: Re: BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with
> GSS-TSIG
>
> David Holder wrote:
>   
>> I had a little trouble getting this message onto the list - here it is at
>>     
> last (I hope).
>   
>>     
>>> Hi! I am trying to use BIND 9.5's GSS-TSIG functionality to carry out
>>>       
> secure
>   
>>> updates to a Windows Server 2003 R2 AD domain controller.
>>>
>>>  
>>>
>>> I am using a few different Linux clients. They are all configured to use
>>>       
> the
>   
>>> AD DC as their KDC. This works fine.
>>>
>>>  
>>>
>>> I have built and tested BIND 9.5 with GSSAPI. So far I have not been able
>>>       
> to
>   
>>> get it to work with Windows.
>>>
>>>       
>
> It doesn't work yet.
>
>   
>>>  
>>>
>>> Here is an example of the failure messages I get.
>>>
>>> /usr/local/bin/nsupdate -d -g -o
>>>
>>>       
>>>>> update add oak2.active.com 86400 A 192.168.100.100
>>>>>           
>>>   
>>>
>>>       
>>>>> send
>>>>>           
>>>   
>>>
>>> Reply from SOA query:
>>>
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  53990
>>>
>>> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
>>>       
> 1
>   
>>> ;; QUESTION SECTION:
>>>
>>> ;oak2.active.com.               IN      SOA
>>>
>>>  
>>>
>>> ;; AUTHORITY SECTION:
>>>
>>> active.com.             3600    IN      SOA     w2003r2.active.com.
>>> hostmaster. 32 900 600 86400 3600
>>>
>>>  
>>>
>>> ;; ADDITIONAL SECTION:
>>>
>>> w2003r2.active.com.     3600    IN      A       192.168.100.101
>>>
>>>  
>>>
>>> Found zone name: active.com
>>>
>>> The master is: w2003r2.active.com
>>>
>>> start_gssrequest
>>>
>>> nsupdate.c:2192: INSIST(result == 0) failed.
>>>
>>> Aborted
>>>
>>>  
>>>
>>> If I do a klist I see the following.
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_513
>>>
>>> Default principal: administrator at ACTIVE.COM
>>>
>>>  
>>>
>>> Valid starting     Expires            Service principal
>>>
>>> 08/08/07 13:06:09  08/08/07 23:07:35  krbtgt/ACTIVE.COM at ACTIVE.COM
>>>
>>>         renew until 08/09/07 13:06:09
>>>
>>> 08/08/07 13:31:26  08/08/07 23:07:35  DNS/w2003r2.active.com at ACTIVE.COM
>>>
>>>         renew until 08/09/07 13:06:09
>>>
>>>  
>>>
>>> I have carried out network traces and found that Windows to Windows
>>>       
> dynamic
>   
>>> updates look different from the BIND to Windows dynamic updates. 
>>>
>>>       
>
> I wouldn't be surprised.
>
>   
>>>  
>>>
>>> Has anyone tried this before? What information do you need to look at
>>>       
> this?
>   
>>> Traces logs configuration info? And is this the correct mailing list for
>>> this problem?
>>>
>>>       
>
> The network traces would be useful. Is this with wireshark?
>
> Danny
>
>
>   

Also good will be attach backtrace from nsupdate to identify what 
exactly fails

Adam