FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)
Petr Špaček
pspacek at isc.org
Tue Aug 26 12:02:46 UTC 2025
On 26. 08. 25 13:24, Petr Špaček wrote:
> On 26. 08. 25 12:31, Peter 'PMc' Much wrote:
>> Out of recvsoa
>> recvgss()
>> recvgss creating rcvmsg
>> show_message()
>> recvmsg reply from GSS-TSIG query
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41256
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;546671530.sig-conr-e.intra.daemon.contact. ANY TKEY
>>
>> ;; ANSWER SECTION:
>> 546671530.sig-conr-e.intra.daemon.contact. 0 ANY TKEY gss-tsig. 0 0 3
>> BADKEY 0 0
>>
>> dns_tkey_gssnegotiate: TKEY is unacceptable
>
> TL;DR the _response_ is somehow wrong.
>
> I would add -L99 to nsupdate command line.
>
> Secondly I would add
> KRB5_TRACE=/dev/stderr
> to nsupdate invocation as well to see what krb5 library thinks of this.
Sorry, it was pointed out to me I misread the log and that the error has
happened on server side.
I would run `KRB5_TRACE=/dev/stderr named -g -d 99` and check logs on
that side. Hard to tell if krb5 will spit anything in the log, but it
might be worth a try.
In any case, have you checked system time? :-)
--
Petr Špaček
More information about the bind-users
mailing list