Dynamic DNS Updates fail once in a while against AD DNS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Dynamic DNS Updates fail once in a while against AD DNS

Osipov, Michael
Hi folks,

we experience sporadic failures in DNS updates with nsupdate 9.11.6
against Active Directory with GSS-TSIG.

The input is:
> $ less /usr/local/etc/register-hostnames.in
> zone ad001.siemens.net
> update add deblndw011x1j.ad001.siemens.net 3600 A 147.54.64.149
> send
> update add sitex-ldadw.ad001.siemens.net 3600 A 147.54.64.149
> send

The update runs a crontab with @daily on FreeBSD 12.0-RELEASE:

in a negative case we see:

> ;; UPDATE SECTION:
> deblndw011x1j.ad001.siemens.net. 3600 IN A 147.54.64.149
>
> ;; TSIG PSEUDOSECTION:
> 2194433436.sig-demchadc02a.ad001.siemens.net. 0 ANY TSIG gss-tsig. 1554588001 300 28 BAQE//////8AAAAAH1sNRDyJ/ysz/YCKzFftFw== 45424 NOERROR 0
>
> 07-Apr-2019 00:00:01.897 dns_request_destroy: request 0x8010d3bc0
> 07-Apr-2019 00:00:01.897 req_destroy: request 0x8010d3bc0
> 07-Apr-2019 00:00:01.897 requestmgr_detach: 0x8010c7a40: eref 1 iref 1
> 07-Apr-2019 00:00:01.913 req_connected: request 0x8010d3a40
> 07-Apr-2019 00:00:01.913 req_send: request 0x8010d3a40
> 07-Apr-2019 00:00:01.913 req_senddone: request 0x8010d3a40
> 07-Apr-2019 00:00:01.930 req_response: request 0x8010d3a40: success
> 07-Apr-2019 00:00:01.930 req_cancel: request 0x8010d3a40
> 07-Apr-2019 00:00:01.930 req_sendevent: request 0x8010d3a40
> 07-Apr-2019 00:00:01.930 dns_request_getresponse: request 0x8010d3a40
> 07-Apr-2019 00:00:01.930 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Unknown code 0.
> 07-Apr-2019 00:00:01.930 tsig key '2194433436.sig-demchadc02a.ad001.siemens.net' (<null>): signature failed to verify(1)
> ; TSIG error with server: tsig verify failure

If necessary, I can provide both (positive and negative) output from
cron and pcap files.

Is there anything I can do to solve this issue or is this another
Microsoft DNS quirk (domain name compression or alike) I have to live
with? Is issue #45854 back in the game?

Regards,

Michael

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users