DNS update from Linux to Windows DNS Server
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jul 26 16:16:19 UTC 2010
On 26/07/10 16:56, Cory Coager wrote:
> 'nsupdate -g' responds with 'dns_request_getresponse: FORMERR'
Sorry then. I don't know. Personally I can't make nsupdate work at all
with GSSAPI; I get:
dns_tkey_buildgssquery failed: ran out of space
...before it even tries to talk to the network. I have to use a
home-grown tool (I also don't have access to a win2k8 r2 DNS server to
test against...)
You could try tcpdump/wireshark - figure out whether the issue is the
TKEY negotiation of the GSSAPI context or the TSIG update. In a
successful attempt you should see:
C: query name=1234-56.xxxxx IN TKEY
additional name=1234-56.xxxxx ANY TKEY <payload=gssapi>
S: answer name=1234-56.xxxxx ANY TKEY <payload=gssapi resp.>
C: update <fields>
additional name=1234-56.xxxxx ANY TSIG <payload=gssapi mic>
C: update response
additional name=1234-56.xxxxx ANY TSIG <payload=gssapi mic>
You might have a look at "klist" just before the attempt (do a "kinit"
to zero out your cached tickets) and afterwards to check that you are
getting the right ticket. As always with kerberos, DNS and NTP setup are
vital to get this working.
More information about the bind-users
mailing list