Skip Menu |
Report information
The Basics
Id: 45854
Status: resolved
Priority: 50/50
Queue: bind9-public

Owner: Nobody in particular
Requestors: Petr Menšík <>

Bug Information
Version Fixed: 9.11.3, 9.12.0
Version Found: (no value)
Versions Affected: (no value)
Versions Planned: (no value)
Priority: P2 Normal
Severity: S2 Normal
CVSS Score: (no value)
CVE ID: (no value)
Component: (no value)
Area: bug

Created:Thu, 24 Aug 2017 15:02:36 +0000
Updated:Fri, 01 Sep 2017 01:26:32 +0000
Closed:Fri, 01 Sep 2017 01:26:32 +0000

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

From: "Petr Menšík" <>
Date: Thu, 24 Aug 2017 17:02:00 +0200
Subject: nsupdate: GSSAPI fails to authenticate against AD in bind 9.11
Download (untitled) / with headers
text/plain 1.8KiB
Hello. Bug was reported on Fedora 26, that nsupdate authenticated by GSSAPI against Active Directory 2012-r2 server is getting refused. It affects all 9.11.x versions I have tried. But works well with 9.10.5. OpenSSL 1.1 and 1.0 gives the same results. Original bug is at [1]. First attachment [2] shows output of 9.11.2 nsupdate, which always fail on update request, that follows successful GSS-TSIG query. However previous version in second attachment [3] made by nsupdate 9.10.5 is successful. New versions report this with -L 10: 24-Aug-2017 10:56:13.904 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction. 24-Aug-2017 10:56:13.904 tsig key '' (<null>): signature failed to verify(1) I have to admit I could not see anything wrong with authentication at first glance. I tried to find something in source code changes unsucessfully. Then used git bisect to find the failure. According to my bisecting, first commit that broke authentication was change 4079 [RT #37442] [4]. Surprising was it works again in master branch. If my bisecting was correct again, it was fixed (by some unintentional change I think) in commit RT #44029 [5]. I would be grateful if some small fix could be backported into 9.11 branch(es) Regards, Petr [1] [2] [3] [4];a=commit;h=a8da00ef95ba37b9d071c2b8db1a0c967e060106 [5];a=commit;h=03be5a6b4e6311b14a12dec5b15a62f55586aaf4 -- Petr Menšík Software Engineer Red Hat, email: PGP: 65C6C973
Date: Fri, 25 Aug 2017 15:10:46 +1000
Subject: Re: [ISC-Bugs #45854] nsupdate: GSSAPI fails to authenticate against AD in bind 9.11
From: "Mark Andrews" <>
I suspect this is really a Windows TSIG bug where it doesn't handle compressed TSIG owner names correctly. The change resulted in the workaround for this Windows bug being lost (preventing the TSIG owner name being compressed). The following preserves the DNS_NAMEATTR_NOCOMPRESS attribute when setting case. Mark diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 5b88f20a98..a168588683 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -465,6 +465,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_name_copy(owner_name, name, NULL); dns_rdataset_getownercase(rdataset, name); + if ((owner_name->attributes & DNS_NAMEATTR_NOCOMPRESS) != 0) + name->attributes |= DNS_NAMEATTR_NOCOMPRESS; + do { /* * Copy out the name, type, class, ttl. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET:
ready for review
On Fri Aug 25 05:37:13 2017, marka wrote: > ready for review => code OK.
4697. [bug] Restore workaround for Microsoft Windows TSIG hash computation bug. [RT #45854]