<div dir="ltr">Thank you all for your assistance. <div>The issue has finally been resolved. It turns out I was running BIND in a chroot jail, and the /var/tmp folder was missing within the chroot environment. This was the cause of the AD update denials. <br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 20, 2024 at 3:27 PM Petr Špaček <<a href="mailto:pspacek@isc.org">pspacek@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Nagesh,<br>
<br>
it's unclear what exactly is the log about. Is that first start of the <br>
server? (I guess so.) Or the client's attempt?<br>
<br>
You have mentioned that you have two systems, one working and other one <br>
failing. I suggest you gather logs from both and compare them line by <br>
line to find the difference.<br>
<br>
Petr Špaček<br>
Internet Systems Consortium<br>
<br>
<br>
On 20. 08. 24 11:18, Nagesh Thati wrote:<br>
> Hi,<br>
> We have checked all the files related to krb and keytab, all files and <br>
> their permissions are good. But still updates are getting denied. I am <br>
> attaching the Krb5 Trace output also, please check and let me know.<br>
> tkey-gssapi-credential option also specified in the named.conf, but <br>
> still updated are denied.<br>
> <br>
> *_KRB5_TRACE Output:_*<br>
> /[597869] 1724136604.999060: Getting initial credentials for <br>
> DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a> <br>
> <mailto:<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a>><br>
> [597869] 1724136605.002377: Sending unauthenticated request<br>
> [597869] 1724136605.002378: Sending request (194 bytes) to <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> [597869] 1724136605.002379: Resolving hostname <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <br>
> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>><br>
> [597869] 1724136605.002380: Sending initial UDP request to dgram <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136605.002381: Received answer (205 bytes) from dgram <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136605.002382: Sending DNS URI query for <br>
> _<a href="http://kerberos.EXAMPLE.COM" rel="noreferrer" target="_blank">kerberos.EXAMPLE.COM</a> <<a href="http://kerberos.EXAMPLE.COM" rel="noreferrer" target="_blank">http://kerberos.EXAMPLE.COM</a>>.<br>
> [597869] 1724136605.002383: No URI records found<br>
> [597869] 1724136605.002384: Sending DNS SRV query for <br>
> _kerberos-master._<a href="http://udp.EXAMPLE.COM" rel="noreferrer" target="_blank">udp.EXAMPLE.COM</a> <<a href="http://udp.EXAMPLE.COM" rel="noreferrer" target="_blank">http://udp.EXAMPLE.COM</a>>.<br>
> [597869] 1724136605.002385: Sending DNS SRV query for <br>
> _kerberos-master._<a href="http://tcp.EXAMPLE.COM" rel="noreferrer" target="_blank">tcp.EXAMPLE.COM</a> <<a href="http://tcp.EXAMPLE.COM" rel="noreferrer" target="_blank">http://tcp.EXAMPLE.COM</a>>.<br>
> [597869] 1724136605.002386: No SRV records found<br>
> [597869] 1724136605.002387: Response was not from primary KDC<br>
> [597869] 1724136605.002388: Received error from KDC: <br>
> -1765328359/Additional pre-authentication required<br>
> [597869] 1724136605.002391: Preauthenticating using KDC method data<br>
> [597869] 1724136605.002392: Processing preauth types: PA-PK-AS-REQ (16), <br>
> PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)<br>
> [597869] 1724136605.002393: Selected etype info: etype aes256-cts, salt <br>
> "<a href="http://EXAMPLE.COMDNSexample-master.example.com" rel="noreferrer" target="_blank">EXAMPLE.COMDNSexample-master.example.com</a> <br>
> <<a href="http://EXAMPLE.COMDNSexample-master.example.com" rel="noreferrer" target="_blank">http://EXAMPLE.COMDNSexample-master.example.com</a>>", params ""<br>
> [597869] 1724136605.002394: PKINIT client has no configured identity; <br>
> giving up<br>
> [597869] 1724136605.002395: Preauth module pkinit (16) (real) returned: <br>
> -1765328174/No pkinit_anchors supplied<br>
> [597869] 1724136610.500899: AS key obtained for encrypted timestamp: <br>
> aes256-cts/7523<br>
> [597869] 1724136610.500901: Encrypted timestamp (for 1724136611.194769): <br>
> plain 301AA011180F32303234303832303036353031315AA105020302F8D1, <br>
> encrypted <br>
> 8D719F980037E7626CE2B7B1C8B82E56AD5866596D5041C925C85D032BDA06F6102F5E50952B725E4DA945243897C9F92C13213B136CBBAA<br>
> [597869] 1724136610.500902: Preauth module encrypted_timestamp (2) <br>
> (real) returned: 0/Success<br>
> [597869] 1724136610.500903: Produced preauth for next request: <br>
> PA-ENC-TIMESTAMP (2)<br>
> [597869] 1724136610.500904: Sending request (274 bytes) to <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> [597869] 1724136610.500905: Resolving hostname <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <br>
> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>><br>
> [597869] 1724136610.500906: Sending initial UDP request to dgram <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136610.500907: Received answer (94 bytes) from dgram <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136610.500908: Sending DNS URI query for <br>
> _<a href="http://kerberos.EXAMPLE.COM" rel="noreferrer" target="_blank">kerberos.EXAMPLE.COM</a> <<a href="http://kerberos.EXAMPLE.COM" rel="noreferrer" target="_blank">http://kerberos.EXAMPLE.COM</a>>.<br>
> [597869] 1724136610.500909: No URI records found<br>
> [597869] 1724136610.500910: Sending DNS SRV query for <br>
> _kerberos-master._<a href="http://udp.EXAMPLE.COM" rel="noreferrer" target="_blank">udp.EXAMPLE.COM</a> <<a href="http://udp.EXAMPLE.COM" rel="noreferrer" target="_blank">http://udp.EXAMPLE.COM</a>>.<br>
> [597869] 1724136610.500911: Sending DNS SRV query for <br>
> _kerberos-master._<a href="http://tcp.EXAMPLE.COM" rel="noreferrer" target="_blank">tcp.EXAMPLE.COM</a> <<a href="http://tcp.EXAMPLE.COM" rel="noreferrer" target="_blank">http://tcp.EXAMPLE.COM</a>>.<br>
> [597869] 1724136610.500912: No SRV records found<br>
> [597869] 1724136610.500913: Response was not from primary KDC<br>
> [597869] 1724136610.500914: Received error from KDC: <br>
> -1765328332/Response too big for UDP, retry with TCP<br>
> [597869] 1724136610.500915: Request or response is too big for UDP; <br>
> retrying with TCP<br>
> [597869] 1724136610.500916: Sending request (274 bytes) to <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>> (tcp only)<br>
> [597869] 1724136610.500917: Resolving hostname <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <br>
> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>><br>
> [597869] 1724136610.500918: Initiating TCP connection to stream <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136610.500919: Sending TCP request to stream <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <br>
> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136610.500920: Received answer (1737 bytes) from stream <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136610.500921: Terminating TCP connection to stream <br>
> <a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">10.1.8.171:88</a> <<a href="http://10.1.8.171:88" rel="noreferrer" target="_blank">http://10.1.8.171:88</a>><br>
> [597869] 1724136610.500922: Sending DNS URI query for <br>
> _<a href="http://kerberos.EXAMPLE.COM" rel="noreferrer" target="_blank">kerberos.EXAMPLE.COM</a> <<a href="http://kerberos.EXAMPLE.COM" rel="noreferrer" target="_blank">http://kerberos.EXAMPLE.COM</a>>.<br>
> [597869] 1724136610.500923: No URI records found<br>
> [597869] 1724136610.500924: Sending DNS SRV query for <br>
> _kerberos-master._<a href="http://tcp.EXAMPLE.COM" rel="noreferrer" target="_blank">tcp.EXAMPLE.COM</a> <<a href="http://tcp.EXAMPLE.COM" rel="noreferrer" target="_blank">http://tcp.EXAMPLE.COM</a>>.<br>
> [597869] 1724136610.500925: No SRV records found<br>
> [597869] 1724136610.500926: Response was not from primary KDC<br>
> [597869] 1724136610.500927: Processing preauth types: PA-ETYPE-INFO2 (19)<br>
> [597869] 1724136610.500928: Selected etype info: etype aes256-cts, salt <br>
> "<a href="http://EXAMPLE.COMDNSexample-master.example.com" rel="noreferrer" target="_blank">EXAMPLE.COMDNSexample-master.example.com</a> <br>
> <<a href="http://EXAMPLE.COMDNSexample-master.example.com" rel="noreferrer" target="_blank">http://EXAMPLE.COMDNSexample-master.example.com</a>>", params ""<br>
> [597869] 1724136610.500929: Produced preauth for next request: (empty)<br>
> [597869] 1724136610.500930: AS key determined by preauth: aes256-cts/7523<br>
> [597869] 1724136610.500931: Decrypted AS reply; session key is: <br>
> aes256-cts/9EA3<br>
> [597869] 1724136610.500932: FAST negotiation: unavailable<br>
> [597869] 1724136610.500933: Resolving unique ccache of type MEMORY<br>
> [597869] 1724136610.500934: Initializing MEMORY:ii4Cyzt with default <br>
> princ DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a> <br>
> <mailto:<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a>><br>
> [597869] 1724136610.500935: Storing config in MEMORY:ii4Cyzt for <br>
> krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank">EXAMPLE.COM@EXAMPLE.COM</a> <mailto:<a href="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank">EXAMPLE.COM@EXAMPLE.COM</a>>: pa_type: 2<br>
> [597869] 1724136610.500936: Storing <br>
> DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a> <br>
> <mailto:<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a>> -> <br>
> krb5_ccache_conf_data/pa_type/krbtgt\/<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>\@EXAMPLE.COM@X-CACHECONF: in MEMORY:ii4Cyzt<br>
> [597869] 1724136610.500937: Storing <br>
> DNS/<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a> <br>
> <mailto:<a href="mailto:example-master.example.com@EXAMPLE.COM" target="_blank">example-master.example.com@EXAMPLE.COM</a>> -> <br>
> krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank">EXAMPLE.COM@EXAMPLE.COM</a> <mailto:<a href="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank">EXAMPLE.COM@EXAMPLE.COM</a>> in <br>
> MEMORY:ii4Cy/<br>
> /<br>
> /<br>
> /<br>
> /<br>
> /Thanks,/<br>
> /Nagesh/<br>
> <br>
> On Thu, Aug 8, 2024 at 6:20 PM Petr Špaček <<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a> <br>
> <mailto:<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a>>> wrote:<br>
> <br>
> Hello,<br>
> <br>
> my first bet is missing tkey-gssapi-credential configuration statement<br>
> [1], followed by:<br>
> - or incorrect content of keytab,<br>
> - some file permission problem related to /etc/krb5.keytab, or<br>
> /var/tmp,<br>
> or /tmp,<br>
> - It's Red Hat so a SELinux denial might be a problem as well.<br>
> <br>
> KRB5_TRACE environment variable might help with debugging, see "man<br>
> kerberos" and also check other environment variables and config files<br>
> listed there.<br>
> <br>
> Given that you have a working system I suggest you compare all of the<br>
> above to find out what's the difference.<br>
> <br>
> [1]<br>
> <a href="https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab" rel="noreferrer" target="_blank">https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab</a> <<a href="https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab" rel="noreferrer" target="_blank">https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab</a>><br>
> <br>
> Petr Špaček<br>
> Internet Systems Consortium<br>
> <br>
> <br>
> On 08. 08. 24 14:23, Nagesh Thati wrote:<br>
> > Hello Guys,<br>
> > Any help is much appreciated.<br>
> > Thanks<br>
> > Nagesh<br>
> ><br>
> > On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati <<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a><br>
> <mailto:<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a>><br>
> > <mailto:<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a> <mailto:<a href="mailto:tcpnagesh@gmail.com" target="_blank">tcpnagesh@gmail.com</a>>>> wrote:<br>
> ><br>
> > Hello BIND Users,<br>
> ><br>
> > *Issue Description:*<br>
> > I'm experiencing an issue with secure Active Directory (AD)<br>
> updates<br>
> > on an AlmaLinux 9 system using ISC BIND. Despite following the<br>
> > necessary configurations, I'm receiving error messages indicating<br>
> > that the requests from the AD server are not signed and<br>
> encountering<br>
> > GSSAPI-related errors. Notably, the exact build and<br>
> configurations<br>
> > are working without any issues on CentOS 7.<br>
> ><br>
> > *Environment:*<br>
> > - OS: AlmaLinux 9 (using DEFAULT policy for system-wide<br>
> crypto policies)<br>
> > - BIND version: 9.18.28<br>
> > - Active Directory: Windows Server [2016]<br>
> ><br>
> > *Problem:*<br>
> > AD updates are being denied. The BIND logs indicate that the<br>
> > requests are not signed and show GSSAPI errors related to<br>
> > unavailable credentials and missing files.<br>
> ><br>
> > *Troubleshooting Steps Taken:*<br>
> > We tried legacy crypto policy, but it did not work.<br>
> ><br>
> > *Questions:*<br>
> > 1. What could be causing BIND to reject the AD updates as<br>
> unsigned,<br>
> > given that the same configuration works on CentOS 7?<br>
> > 2. How can I resolve the GSSAPI errors regarding unavailable<br>
> > credentials and missing files?<br>
> > 3. Are there any AlmaLinux 9-specific configurations or steps<br>
> > required to ensure secure AD updates with BIND?<br>
> > 4. Are there any known issues or incompatibilities between<br>
> ISC BIND<br>
> > and AlmaLinux 9 that could be causing this problem?<br>
> ><br>
> > *Additional Information:*<br>
> > - The same configuration is working correctly on CentOS 7 without<br>
> > any issues.<br>
> > - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto<br>
> > policies.<br>
> ><br>
> > *_Current Setup:_*<br>
> ><br>
> > *# named -V*<br>
> > BIND 9.18.28 (Extended Support Version) <id:><br>
> > running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP<br>
> > PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024<br>
> > built by make with '--prefix=/opt/mydir/'<br>
> > '--enable-dependency-tracking' '--enable-dnstap'<br>
> > '--enable-singletrace' '--enable-querytrace'<br>
> > '--disable-auto-validation' '--enable-dnsrps-dl'<br>
> '--enable-dnsrps'<br>
> > '--enable-full-report' '--with-tuning=large'<br>
> '--enable-fixed-rrset'<br>
> > '--with-libidn2' '--with-lmdb' '--with-json-c'<br>
> > '--with-jemalloc=detect' '--with-maxminddb=yes'<br>
> '--enable-largefile'<br>
> > compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)<br>
> > compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022<br>
> > linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022<br>
> > compiled with libuv version: 1.42.0<br>
> > linked to libuv version: 1.42.0<br>
> > compiled with libnghttp2 version: 1.43.0<br>
> > linked to libnghttp2 version: 1.43.0<br>
> > compiled with json-c version: 0.14<br>
> > linked to json-c version: 0.14<br>
> > compiled with zlib version: 1.2.11<br>
> > linked to zlib version: 1.2.11<br>
> > linked to maxminddb version: 1.5.2<br>
> > compiled with protobuf-c version: 1.3.3<br>
> > linked to protobuf-c version: 1.3.3<br>
> > threads support is enabled<br>
> > DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512<br>
> > ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448<br>
> > DS algorithms: SHA-1 SHA-256 SHA-384<br>
> > HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256<br>
> > HMAC-SHA384 HMAC-SHA512<br>
> > TKEY mode 2 support (Diffie-Hellman): yes<br>
> > TKEY mode 3 support (GSS-API): yes<br>
> ><br>
> > default paths:<br>
> > named configuration: /opt/mydir/etc/named.conf<br>
> > rndc configuration: /opt/mydir/etc/rndc.conf<br>
> > DNSSEC root key: /opt/mydir/etc/bind.keys<br>
> > nsupdate session key: /opt/mydir/var/run/named/session.key<br>
> > named PID file: /opt/mydir/var/run/named/named.pid<br>
> > named lock file: /opt/mydir/var/run/named/named.lock<br>
> > geoip-directory: /usr/share/GeoIP<br>
> > *named.conf Snippet:*<br>
> > options {<br>
> > directory "/";<br>
> > allow-query {any;};<br>
> > allow-transfer {none;};<br>
> > blackhole {none;};<br>
> > dnssec-validation yes;<br>
> > listen-on-v6 {none;};<br>
> > rrset-order {<br>
> > order cyclic;<br>
> > };<br>
> > dump-file "/var/named/log/named_dump.db";<br>
> > lame-ttl 0;<br>
> > max-ncache-ttl 10800;<br>
> > minimal-responses yes;<br>
> > pid-file "/var/run/named/named.pid";<br>
> > recursion no;<br>
> > session-keyfile "/var/run/named/session.key";<br>
> > statistics-file "/var/named/log/named.stats";<br>
> > tcp-clients 150;<br>
> > *tkey-gssapi-keytab "/etc/krb5.keytab";*<br>
> > };<br>
> ><br>
> > *Zone Section in named.conf:*<br>
> > zone "_<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">msdcs.example.com</a> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>><br>
> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>>>" IN {<br>
> > type master;<br>
> > file "/var/named/zones/masters/db._<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">msdcs.example.com</a><br>
> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>><br>
> > <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>>>";<br>
> > *update-policy { grant * subdomain _<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">msdcs.example.com</a><br>
> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>><br>
> > <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a> <<a href="http://msdcs.example.com" rel="noreferrer" target="_blank">http://msdcs.example.com</a>>>. ANY; };*<br>
> > };<br>
> > zone "_<a href="http://sites.example.com" rel="noreferrer" target="_blank">sites.example.com</a> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>><br>
> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>>>" IN {<br>
> > type master;<br>
> > file "/var/named/zones/masters/db._<a href="http://sites.example.com" rel="noreferrer" target="_blank">sites.example.com</a><br>
> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>><br>
> > <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>>>";<br>
> > update-policy { grant * subdomain _<a href="http://sites.example.com" rel="noreferrer" target="_blank">sites.example.com</a><br>
> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>><br>
> > <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a> <<a href="http://sites.example.com" rel="noreferrer" target="_blank">http://sites.example.com</a>>>. ANY; };<br>
> > };<br>
> > zone "_<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>><br>
> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>>>" IN {<br>
> > type master;<br>
> > file "/var/named/zones/masters/db._<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a><br>
> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>><br>
> > <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>>>";<br>
> > update-policy { grant * subdomain _<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a><br>
> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>><br>
> > <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a> <<a href="http://tcp.example.com" rel="noreferrer" target="_blank">http://tcp.example.com</a>>>. ANY; };<br>
> > };<br>
> ><br>
> > *krb5.conf:*<br>
> > # cat krb5.conf<br>
> ><br>
> > [libdefaults]<br>
> ><br>
> > default_realm = <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>><br>
> > default_tkt_enctypes = aes256-cts<br>
> > default_tgs_enctypes = aes256-cts<br>
> > dns_lookup_realm = true<br>
> > dns_lookup_kdc = true<br>
> > ticket_lifetime = 30d<br>
> > default_keytab_name = FILE:/etc/krb5.keytab<br>
> ><br>
> > [realms]<br>
> > <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a><br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>> = {<br>
> > kdc = <a href="http://example.com:88" rel="noreferrer" target="_blank">example.com:88</a> <<a href="http://example.com:88" rel="noreferrer" target="_blank">http://example.com:88</a>><br>
> <<a href="http://example.com:88" rel="noreferrer" target="_blank">http://example.com:88</a> <<a href="http://example.com:88" rel="noreferrer" target="_blank">http://example.com:88</a>>><br>
> > default_domain = <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>><br>
> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>><br>
> > }<br>
> ><br>
> ><br>
> > [domain_realm]<br>
> > .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a><br>
> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>> = <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>><br>
> > <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a><br>
> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>> = <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>><br>
> ><br>
> > *_Specific Error Messages:_*<br>
> > *named.log (with debug level 0):*<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#53822:<br>
> > update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>><br>
> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#54527:<br>
> > update '_<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>><br>
> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#54470:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#53206:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#49853:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#59529:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#51093:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#58128:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#59368:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#63380:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#57248:<br>
> > update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>><br>
> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#52530:<br>
> > update '_<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>><br>
> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#54245:<br>
> > update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>><br>
> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#53890:<br>
> > update '_<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>><br>
> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a> <<a href="http://sites.example.com/IN" rel="noreferrer" target="_blank">http://sites.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#49508:<br>
> > update '_<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>><br>
> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a> <<a href="http://tcp.example.com/IN" rel="noreferrer" target="_blank">http://tcp.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#56611:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#59729:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> ><br>
> > *named.log (with debug level 10):*<br>
> > client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP<br>
> request<br>
> > client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> using view<br>
> > '_default'<br>
> > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> request<br>
> > is not signed<br>
> > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> > recursion not available (recursion not enabled for view)<br>
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:<br>
> reset client<br>
> > client: debug 3: clientmgr @0x7f01c4043e40 attach: 6<br>
> > client: debug 3: query client=0x7f01c41936c8<br>
> > thread=0x7f01c8c22640(<unknown-query>): query_reset<br>
> > security: debug 3: client @0x7f01c41936c8 (no-peer): allocate<br>
> new client<br>
> > client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP<br>
> request<br>
> > client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518:<br>
> using view<br>
> > '_default'<br>
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:<br>
> request<br>
> > is not signed<br>
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:<br>
> > recursion not available (recursion not enabled for view)<br>
> > client: debug 3: query client=0x7f01c41936c8<br>
> > thread=0x7f01c8c22640(<unknown-query>): ns_query_start<br>
> > general: debug 3: failed gss_inquire_cred: GSSAPI error:<br>
> Major = No<br>
> > credentials were supplied, or the credentials were unavailable or<br>
> > inaccessible, Minor = No Kerberos credentials available (default<br>
> > cache: FILE:/tmp/krb5cc_1001).<br>
> > general: debug 3: failed gss_accept_sec_context: GSSAPI<br>
> error: Major<br>
> > = Unspecified GSS failure. Minor code may provide more<br>
> information,<br>
> > Minor = No such file or directory (filename:<br>
> > /var/tmp/krb5_1001.rcache2).<br>
> > general: debug 4: process_gsstkey(): dns_tsigerror_badkey<br>
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518<br>
> > (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e):<br>
> > reset client<br>
> > client: debug 3: query client=0x7f01c41936c8<br>
> > <br>
> thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset<br>
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:<br>
> freeing<br>
> > client<br>
> > client: debug 3: query client=0x7f01c41936c8<br>
> > thread=0x7f01c8c22640(<unknown-query>): query_reset<br>
> > client: debug 3: clientmgr @0x7f01c4043e40 detach: 5<br>
> ><br>
> > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP<br>
> request<br>
> > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577:<br>
> using view<br>
> > '_default'<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:<br>
> request<br>
> > is not signed<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:<br>
> > recursion not available (recursion not enabled for view)<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<unknown-query>): ns_query_start<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): qctx_init<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): client attr:0x20000, query<br>
> > attr:0xF00, restarts:0, origqname:<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">nameserver.example.com</a><br>
> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>><br>
> > <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a><br>
> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>>>, timer:0, authdb:0, referral:0<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): ns__query_start<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577<br>
> > (<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">nameserver.example.com</a> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>><br>
> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>>>): query<br>
> > '<a href="http://nameserver.example.com/A/IN" rel="noreferrer" target="_blank">nameserver.example.com/A/IN</a><br>
> <<a href="http://nameserver.example.com/A/IN" rel="noreferrer" target="_blank">http://nameserver.example.com/A/IN</a>><br>
> <<a href="http://nameserver.example.com/A/IN" rel="noreferrer" target="_blank">http://nameserver.example.com/A/IN</a><br>
> <<a href="http://nameserver.example.com/A/IN" rel="noreferrer" target="_blank">http://nameserver.example.com/A/IN</a>>>'<br>
> > approved<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_lookup<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_gotanswer<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_checkrpz<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): rpz_rewrite<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_prepresponse<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_zerottl_refetch<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_respond<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_getexpire<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_addanswer<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_addrrset<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_setorder<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_additional<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_addrrset: done<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_addnoqnameproof<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_addauth<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): ns_query_done<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577<br>
> > (<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">nameserver.example.com</a> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>><br>
> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a> <<a href="http://nameserver.example.com" rel="noreferrer" target="_blank">http://nameserver.example.com</a>>>):<br>
> reset client<br>
> > client: debug 3: query client=0x7f01c420f7a8<br>
> > thread=0x7f01c8c22640(<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>><br>
> > <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a><br>
> <<a href="http://nameserver.example.com/A" rel="noreferrer" target="_blank">http://nameserver.example.com/A</a>>>): query_reset<br>
> > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP<br>
> request<br>
> > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> using view<br>
> > '_default'<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> request<br>
> > is not signed<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> > recursion not available (recursion not enabled for view)<br>
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> > update '_<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>><br>
> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a> <<a href="http://msdcs.example.com/IN" rel="noreferrer" target="_blank">http://msdcs.example.com/IN</a>>>' denied<br>
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:<br>
> reset client<br>
> > client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6<br>
> > client: debug 3: query client=0x7f01ac0eca18<br>
> > thread=0x7f01c3fff640(<unknown-query>): query_reset<br>
> > security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate<br>
> new client<br>
> > client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP<br>
> request<br>
> > client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172:<br>
> using view<br>
> > '_default'<br>
> > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:<br>
> request<br>
> > is not signed<br>
> > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:<br>
> > recursion not available (recursion not enabled for view)<br>
> > client: debug 3: query client=0x7f01ac0eca18<br>
> > thread=0x7f01c3fff640(<unknown-query>): ns_query_start<br>
> > general: debug 3: failed gss_inquire_cred: GSSAPI error:<br>
> Major = No<br>
> > credentials were supplied, or the credentials were unavailable or<br>
> > inaccessible, Minor = No Kerberos credentials available (default<br>
> > cache: FILE:/tmp/krb5cc_1001).<br>
> > general: debug 3: failed gss_accept_sec_context: GSSAPI<br>
> error: Major<br>
> > = Unspecified GSS failure. Minor code may provide more<br>
> information,<br>
> > Minor = No such file or directory (filename:<br>
> > /var/tmp/krb5_1001.rcache2).<br>
> > general: debug 4: process_gsstkey(): dns_tsigerror_badkey<br>
> > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172<br>
> > (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e):<br>
> > reset client<br>
> > client: debug 3: query client=0x7f01ac0eca18<br>
> > <br>
> thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset<br>
> ><br>
> > Any insights, suggestions, or further troubleshooting steps to<br>
> > resolve this issue would be greatly appreciated. Thank you in<br>
> > advance for your assistance.<br>
> ><br>
> > Thanks<br>
> ><br>
> > Nagesh<br>
> ><br>
> ><br>
> <br>
> -- <br>
> Petr Špaček<br>
> <br>
<br>
-- <br>
Petr Špaček<br>
<br>
</blockquote></div>