GSS-TSIG / nsupdate -g problems

[Phil Mayers]

All,

We have an Active Directory environment here, but use bind9 as our DNS 
servers. We have for years delegated out the zones:

_tcp.ic.ac.uk
_udp.ic.ac.uk

...and so forth, and used "allow-update" from the IPs of the AD servers.

We're moving to DNSSEC-sign our zones shortly and I though I might take 
the opportunity to move to using GSS-TSIG and update-policy, and merge 
these zones back in (and get them signed without the complication of a 
DS record)

However I can't seem to get even a basic test setup running. I've 
managed to puzzle out the exact syntax required in "named.conf" (yay - 
case-sensitive GSS principle parsing, how helpful) but "nsupdate -g" 
seems to simply not work, telling me:

buildquery error
dns_tkey_buildgssquery failed: ran out of space

...or with more debugging:

setup_system()
reset_system()
user_interaction()
get_next_command()
get_next_command()
get_next_command()
evaluate_update()
update_addordelete()
get_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  65231
;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ic.ac.uk.			IN	SOA

;; ANSWER SECTION:
ic.ac.uk.		86400	IN	SOA	mname.ic.ac.uk. hostmaster.ic.ac.uk. 2006404671 
2700 1800 3600000 86400

;; AUTHORITY SECTION:
ic.ac.uk.		86400	IN	NS	mname.ic.ac.uk.

;; ADDITIONAL SECTION:
mname.ic.ac.uk.	86400	IN	A	192.168.1.1

Found zone name: ic.ac.uk
The master is: mname.ic.ac.uk
start_gssrequest
buildquery error
dns_tkey_buildgssquery failed: ran out of space


I do have an appropriate krb5.conf and indeed the kerberos ticket cache 
lists a valid-looking ticket:

04/23/10 14:45:57  04/24/10 00:45:40  DNS/mname.ic.ac.uk at IC.AC.UK
	renew until 04/24/10 00:45:35, Flags: FRA
	Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
	Addresses: (none)

Does anyone have any suggestions?