FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

Tue Aug 26 11:24:23 UTC 2025

On 26. 08. 25 12:31, Peter 'PMc' Much wrote:
> Out of recvsoa
> recvgss()
> recvgss creating rcvmsg
> show_message()
> recvmsg reply from GSS-TSIG query
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  41256
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;546671530.sig-conr-e.intra.daemon.contact. ANY TKEY
> 
> ;; ANSWER SECTION:
> 546671530.sig-conr-e.intra.daemon.contact. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
> 
> dns_tkey_gssnegotiate: TKEY is unacceptable

TL;DR the _response_ is somehow wrong.

I would add -L99 to nsupdate command line.

Secondly I would add
KRB5_TRACE=/dev/stderr
to nsupdate invocation as well to see what krb5 library thinks of this.

-- 
Petr Špaček
Internet Systems Consortium