<div dir="ltr">Hi,<div>We have checked all the files related to krb and keytab, all files and their permissions are good. But still updates are getting denied. I am attaching the Krb5 Trace output also, please check and let me know.</div><div>tkey-gssapi-credential option also specified in the named.conf, but still updated are denied.<br></div><div><br></div><div><b><u>KRB5_TRACE Output:</u></b><br></div><div><font size="1"><i>[597869] 1724136604.999060: Getting initial credentials for DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM">example-master.example.com@EXAMPLE.COM</a><br>[597869] 1724136605.002377: Sending unauthenticated request<br>[597869] 1724136605.002378: Sending request (194 bytes) to <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>[597869] 1724136605.002379: Resolving hostname <a href="http://example.com">example.com</a><br>[597869] 1724136605.002380: Sending initial UDP request to dgram <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136605.002381: Received answer (205 bytes) from dgram <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136605.002382: Sending DNS URI query for _<a href="http://kerberos.EXAMPLE.COM">kerberos.EXAMPLE.COM</a>.<br>[597869] 1724136605.002383: No URI records found<br>[597869] 1724136605.002384: Sending DNS SRV query for _kerberos-master._<a href="http://udp.EXAMPLE.COM">udp.EXAMPLE.COM</a>.<br>[597869] 1724136605.002385: Sending DNS SRV query for _kerberos-master._<a href="http://tcp.EXAMPLE.COM">tcp.EXAMPLE.COM</a>.<br>[597869] 1724136605.002386: No SRV records found<br>[597869] 1724136605.002387: Response was not from primary KDC<br>[597869] 1724136605.002388: Received error from KDC: -1765328359/Additional pre-authentication required<br>[597869] 1724136605.002391: Preauthenticating using KDC method data<br>[597869] 1724136605.002392: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)<br>[597869] 1724136605.002393: Selected etype info: etype aes256-cts, salt "<a href="http://EXAMPLE.COMDNSexample-master.example.com">EXAMPLE.COMDNSexample-master.example.com</a>", params ""<br>[597869] 1724136605.002394: PKINIT client has no configured identity; giving up<br>[597869] 1724136605.002395: Preauth module pkinit (16) (real) returned: -1765328174/No pkinit_anchors supplied<br>[597869] 1724136610.500899: AS key obtained for encrypted timestamp: aes256-cts/7523<br>[597869] 1724136610.500901: Encrypted timestamp (for 1724136611.194769): plain 301AA011180F32303234303832303036353031315AA105020302F8D1, encrypted 8D719F980037E7626CE2B7B1C8B82E56AD5866596D5041C925C85D032BDA06F6102F5E50952B725E4DA945243897C9F92C13213B136CBBAA<br>[597869] 1724136610.500902: Preauth module encrypted_timestamp (2) (real) returned: 0/Success<br>[597869] 1724136610.500903: Produced preauth for next request: PA-ENC-TIMESTAMP (2)<br>[597869] 1724136610.500904: Sending request (274 bytes) to <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>[597869] 1724136610.500905: Resolving hostname <a href="http://example.com">example.com</a><br>[597869] 1724136610.500906: Sending initial UDP request to dgram <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136610.500907: Received answer (94 bytes) from dgram <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136610.500908: Sending DNS URI query for _<a href="http://kerberos.EXAMPLE.COM">kerberos.EXAMPLE.COM</a>.<br>[597869] 1724136610.500909: No URI records found<br>[597869] 1724136610.500910: Sending DNS SRV query for _kerberos-master._<a href="http://udp.EXAMPLE.COM">udp.EXAMPLE.COM</a>.<br>[597869] 1724136610.500911: Sending DNS SRV query for _kerberos-master._<a href="http://tcp.EXAMPLE.COM">tcp.EXAMPLE.COM</a>.<br>[597869] 1724136610.500912: No SRV records found<br>[597869] 1724136610.500913: Response was not from primary KDC<br>[597869] 1724136610.500914: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP<br>[597869] 1724136610.500915: Request or response is too big for UDP; retrying with TCP<br>[597869] 1724136610.500916: Sending request (274 bytes) to <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> (tcp only)<br>[597869] 1724136610.500917: Resolving hostname <a href="http://example.com">example.com</a><br>[597869] 1724136610.500918: Initiating TCP connection to stream <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136610.500919: Sending TCP request to stream <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136610.500920: Received answer (1737 bytes) from stream <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136610.500921: Terminating TCP connection to stream <a href="http://10.1.8.171:88">10.1.8.171:88</a><br>[597869] 1724136610.500922: Sending DNS URI query for _<a href="http://kerberos.EXAMPLE.COM">kerberos.EXAMPLE.COM</a>.<br>[597869] 1724136610.500923: No URI records found<br>[597869] 1724136610.500924: Sending DNS SRV query for _kerberos-master._<a href="http://tcp.EXAMPLE.COM">tcp.EXAMPLE.COM</a>.<br>[597869] 1724136610.500925: No SRV records found<br>[597869] 1724136610.500926: Response was not from primary KDC<br>[597869] 1724136610.500927: Processing preauth types: PA-ETYPE-INFO2 (19)<br>[597869] 1724136610.500928: Selected etype info: etype aes256-cts, salt "<a href="http://EXAMPLE.COMDNSexample-master.example.com">EXAMPLE.COMDNSexample-master.example.com</a>", params ""<br>[597869] 1724136610.500929: Produced preauth for next request: (empty)<br>[597869] 1724136610.500930: AS key determined by preauth: aes256-cts/7523<br>[597869] 1724136610.500931: Decrypted AS reply; session key is: aes256-cts/9EA3<br>[597869] 1724136610.500932: FAST negotiation: unavailable<br>[597869] 1724136610.500933: Resolving unique ccache of type MEMORY<br>[597869] 1724136610.500934: Initializing MEMORY:ii4Cyzt with default princ DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM">example-master.example.com@EXAMPLE.COM</a><br>[597869] 1724136610.500935: Storing config in MEMORY:ii4Cyzt for krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>: pa_type: 2<br>[597869] 1724136610.500936: Storing DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM">example-master.example.com@EXAMPLE.COM</a> -> krb5_ccache_conf_data/pa_type/krbtgt\/<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>\@EXAMPLE.COM@X-CACHECONF: in MEMORY:ii4Cyzt<br>[597869] 1724136610.500937: Storing DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM">example-master.example.com@EXAMPLE.COM</a> -> krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> in MEMORY:ii4Cy</i></font><br></div><div><font size="1"><i><br></i></font></div><div><font size="1"><i><br></i></font></div><div><font size="1"><i>Thanks,</i></font></div><div><font size="1"><i>Nagesh</i></font></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 8, 2024 at 6:20 PM Petr Špaček <<a href="mailto:pspacek@isc.org">pspacek@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
my first bet is missing tkey-gssapi-credential configuration statement <br>
[1], followed by:<br>
- or incorrect content of keytab,<br>
- some file permission problem related to /etc/krb5.keytab, or /var/tmp, <br>
or /tmp,<br>
- It's Red Hat so a SELinux denial might be a problem as well.<br>
<br>
KRB5_TRACE environment variable might help with debugging, see "man <br>
kerberos" and also check other environment variables and config files <br>
listed there.<br>
<br>
Given that you have a working system I suggest you compare all of the <br>
above to find out what's the difference.<br>
<br>
[1] <br>
<a href="https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab" rel="noreferrer" target="_blank">https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab</a><br>
<br>
Petr Špaček<br>
Internet Systems Consortium<br>
<br>
<br>
On 08. 08. 24 14:23, Nagesh Thati wrote:<br>
> Hello Guys,<br>
> Any help is much appreciated.<br>
> Thanks<br>
> Nagesh<br>
> <br>
> On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati <<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a> <br>
> <mailto:<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a>>> wrote:<br>
> <br>
> Hello BIND Users,<br>
> <br>
> *Issue Description:*<br>
> I'm experiencing an issue with secure Active Directory (AD) updates<br>
> on an AlmaLinux 9 system using ISC BIND. Despite following the<br>
> necessary configurations, I'm receiving error messages indicating<br>
> that the requests from the AD server are not signed and encountering<br>
> GSSAPI-related errors. Notably, the exact build and configurations<br>
> are working without any issues on CentOS 7.<br>
> <br>
> *Environment:*<br>
> - OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto policies)<br>
> - BIND version: 9.18.28<br>
> - Active Directory: Windows Server [2016]<br>
> <br>
> *Problem:*<br>
> AD updates are being denied. The BIND logs indicate that the<br>
> requests are not signed and show GSSAPI errors related to<br>
> unavailable credentials and missing files.<br>
> <br>
> *Troubleshooting Steps Taken:*<br>
> We tried legacy crypto policy, but it did not work.<br>
> <br>
> *Questions:*<br>
> 1. What could be causing BIND to reject the AD updates as unsigned,<br>
> given that the same configuration works on CentOS 7?<br>
> 2. How can I resolve the GSSAPI errors regarding unavailable<br>
> credentials and missing files?<br>
> 3. Are there any AlmaLinux 9-specific configurations or steps<br>
> required to ensure secure AD updates with BIND?<br>
> 4. Are there any known issues or incompatibilities between ISC BIND<br>
> and AlmaLinux 9 that could be causing this problem?<br>
> <br>
> *Additional Information:*<br>
> - The same configuration is working correctly on CentOS 7 without<br>
> any issues.<br>
> - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto<br>
> policies.<br>
> <br>
> *_Current Setup:_*<br>
> <br>
> *# named -V*<br>
> BIND 9.18.28 (Extended Support Version) <id:><br>
> running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP<br>
> PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024<br>
> built by make with '--prefix=/opt/mydir/'<br>
> '--enable-dependency-tracking' '--enable-dnstap'<br>
> '--enable-singletrace' '--enable-querytrace'<br>
> '--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps'<br>
> '--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset'<br>
> '--with-libidn2' '--with-lmdb' '--with-json-c'<br>
> '--with-jemalloc=detect' '--with-maxminddb=yes' '--enable-largefile'<br>
> compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)<br>
> compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022<br>
> linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022<br>
> compiled with libuv version: 1.42.0<br>
> linked to libuv version: 1.42.0<br>
> compiled with libnghttp2 version: 1.43.0<br>
> linked to libnghttp2 version: 1.43.0<br>
> compiled with json-c version: 0.14<br>
> linked to json-c version: 0.14<br>
> compiled with zlib version: 1.2.11<br>
> linked to zlib version: 1.2.11<br>
> linked to maxminddb version: 1.5.2<br>
> compiled with protobuf-c version: 1.3.3<br>
> linked to protobuf-c version: 1.3.3<br>
> threads support is enabled<br>
> DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512<br>
> ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448<br>
> DS algorithms: SHA-1 SHA-256 SHA-384<br>
> HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256<br>
> HMAC-SHA384 HMAC-SHA512<br>
> TKEY mode 2 support (Diffie-Hellman): yes<br>
> TKEY mode 3 support (GSS-API): yes<br>
> <br>
> default paths:<br>
> named configuration: /opt/mydir/etc/named.conf<br>
> rndc configuration: /opt/mydir/etc/rndc.conf<br>
> DNSSEC root key: /opt/mydir/etc/bind.keys<br>
> nsupdate session key: /opt/mydir/var/run/named/session.key<br>
> named PID file: /opt/mydir/var/run/named/named.pid<br>
> named lock file: /opt/mydir/var/run/named/named.lock<br>
> geoip-directory: /usr/share/GeoIP<br>
> *named.conf Snippet:*<br>
> options {<br>
> directory "/";<br>
> allow-query {any;};<br>
> allow-transfer {none;};<br>
> blackhole {none;};<br>
> dnssec-validation yes;<br>
> listen-on-v6 {none;};<br>
> rrset-order {<br>
> order cyclic;<br>
> };<br>
> dump-file "/var/named/log/named_dump.db";<br>
> lame-ttl 0;<br>
> max-ncache-ttl 10800;<br>
> minimal-responses yes;<br>
> pid-file "/var/run/named/named.pid";<br>
> recursion no;<br>
> session-keyfile "/var/run/named/session.key";<br>
> statistics-file "/var/named/log/named.stats";<br>
> tcp-clients 150;<br>
> *tkey-gssapi-keytab "/etc/krb5.keytab";*<br>
> };<br>
> <br>
> *Zone Section in named.conf:*<br>
> zone "_<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">msdcs.example.com</a> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>>" IN {<br>
> type master;<br>
> file "/var/named/zones/masters/db._<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">msdcs.example.com</a><br>
> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>>";<br>
> *update-policy { grant * subdomain _<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">msdcs.example.com</a><br>
> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>>. ANY; };*<br>
> };<br>
> zone "_<a href="http://sites.example.com" rel="noreferrer" target="_blank">sites.example.com</a> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>>" IN {<br>
> type master;<br>
> file "/var/named/zones/masters/db._<a href="http://sites.example.com" rel="noreferrer" target="_blank">sites.example.com</a><br>
> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>>";<br>
> update-policy { grant * subdomain _<a href="http://sites.example.com" rel="noreferrer" target="_blank">sites.example.com</a><br>
> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>>. ANY; };<br>
> };<br>
> zone "_<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>>" IN {<br>
> type master;<br>
> file "/var/named/zones/masters/db._<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a><br>
> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>>";<br>
> update-policy { grant * subdomain _<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a><br>
> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>>. ANY; };<br>
> };<br>
> <br>
> *krb5.conf:*<br>
> # cat krb5.conf<br>
> <br>
> [libdefaults]<br>
> <br>
> default_realm = <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> default_tkt_enctypes = aes256-cts<br>
> default_tgs_enctypes = aes256-cts<br>
> dns_lookup_realm = true<br>
> dns_lookup_kdc = true<br>
> ticket_lifetime = 30d<br>
> default_keytab_name = FILE:/etc/krb5.keytab<br>
> <br>
> [realms]<br>
> <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>> = {<br>
> kdc = <a href="http://example.com:88" rel="noreferrer" target="_blank">example.com:88</a> <<a href="http://example.com:88" rel="noreferrer" target="_blank">http://example.com:88</a>><br>
> default_domain = <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>><br>
> }<br>
> <br>
> <br>
> [domain_realm]<br>
> .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> = <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> = <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> <br>
> *_Specific Error Messages:_*<br>
> *named.log (with debug level 0):*<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#53822:<br>
> update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#54527:<br>
> update '_<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#54470:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#53206:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#49853:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#59529:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#51093:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#58128:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#59368:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#63380:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#57248:<br>
> update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#52530:<br>
> update '_<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#54245:<br>
> update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#53890:<br>
> update '_<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#49508:<br>
> update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#56611:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#59729:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> <br>
> *named.log (with debug level 10):*<br>
> client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP request<br>
> client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242: using view<br>
> '_default'<br>
> security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: request<br>
> is not signed<br>
> security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> recursion not available (recursion not enabled for view)<br>
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: reset client<br>
> client: debug 3: clientmgr @0x7f01c4043e40 attach: 6<br>
> client: debug 3: query client=0x7f01c41936c8<br>
> thread=0x7f01c8c22640(<unknown-query>): query_reset<br>
> security: debug 3: client @0x7f01c41936c8 (no-peer): allocate new client<br>
> client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP request<br>
> client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518: using view<br>
> '_default'<br>
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: request<br>
> is not signed<br>
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:<br>
> recursion not available (recursion not enabled for view)<br>
> client: debug 3: query client=0x7f01c41936c8<br>
> thread=0x7f01c8c22640(<unknown-query>): ns_query_start<br>
> general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No<br>
> credentials were supplied, or the credentials were unavailable or<br>
> inaccessible, Minor = No Kerberos credentials available (default<br>
> cache: FILE:/tmp/krb5cc_1001).<br>
> general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major<br>
> = Unspecified GSS failure. Minor code may provide more information,<br>
> Minor = No such file or directory (filename:<br>
> /var/tmp/krb5_1001.rcache2).<br>
> general: debug 4: process_gsstkey(): dns_tsigerror_badkey<br>
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518<br>
> (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e):<br>
> reset client<br>
> client: debug 3: query client=0x7f01c41936c8<br>
> thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset<br>
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: freeing<br>
> client<br>
> client: debug 3: query client=0x7f01c41936c8<br>
> thread=0x7f01c8c22640(<unknown-query>): query_reset<br>
> client: debug 3: clientmgr @0x7f01c4043e40 detach: 5<br>
> <br>
> client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP request<br>
> client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577: using view<br>
> '_default'<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: request<br>
> is not signed<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:<br>
> recursion not available (recursion not enabled for view)<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<unknown-query>): ns_query_start<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): qctx_init<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): client attr:0x20000, query<br>
> attr:0xF00, restarts:0, origqname:<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">nameserver.example.com</a><br>
> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>>, timer:0, authdb:0, referral:0<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): ns__query_start<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577<br>
> (<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">nameserver.example.com</a> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>>): query<br>
> '<a href="http://nameserver.example.com/A/IN" rel="noreferrer" target="_blank">nameserver.example.com/A/IN</a> <<a href="http://nameserver.example.com/A/IN" rel="noreferrer" target="_blank">http://nameserver.example.com/A/IN</a>>'<br>
> approved<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_lookup<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_gotanswer<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_checkrpz<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): rpz_rewrite<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_prepresponse<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_zerottl_refetch<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_respond<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_getexpire<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_addanswer<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_addrrset<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_setorder<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_additional<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_addrrset: done<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_addnoqnameproof<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_addauth<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): ns_query_done<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577<br>
> (<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">nameserver.example.com</a> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>>): reset client<br>
> client: debug 3: query client=0x7f01c420f7a8<br>
> thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>): query_reset<br>
> client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP request<br>
> client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785: using view<br>
> '_default'<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: request<br>
> is not signed<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> recursion not available (recursion not enabled for view)<br>
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>' denied<br>
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: reset client<br>
> client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6<br>
> client: debug 3: query client=0x7f01ac0eca18<br>
> thread=0x7f01c3fff640(<unknown-query>): query_reset<br>
> security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate new client<br>
> client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP request<br>
> client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172: using view<br>
> '_default'<br>
> security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: request<br>
> is not signed<br>
> security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:<br>
> recursion not available (recursion not enabled for view)<br>
> client: debug 3: query client=0x7f01ac0eca18<br>
> thread=0x7f01c3fff640(<unknown-query>): ns_query_start<br>
> general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No<br>
> credentials were supplied, or the credentials were unavailable or<br>
> inaccessible, Minor = No Kerberos credentials available (default<br>
> cache: FILE:/tmp/krb5cc_1001).<br>
> general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major<br>
> = Unspecified GSS failure. Minor code may provide more information,<br>
> Minor = No such file or directory (filename:<br>
> /var/tmp/krb5_1001.rcache2).<br>
> general: debug 4: process_gsstkey(): dns_tsigerror_badkey<br>
> security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172<br>
> (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e):<br>
> reset client<br>
> client: debug 3: query client=0x7f01ac0eca18<br>
> thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset<br>
> <br>
> Any insights, suggestions, or further troubleshooting steps to<br>
> resolve this issue would be greatly appreciated. Thank you in<br>
> advance for your assistance.<br>
> <br>
> Thanks<br>
> <br>
> Nagesh<br>
> <br>
> <br>
<br>
-- <br>
Petr Špaček<br>
<br>
</blockquote></div>