Skip Menu |
Report information
The Basics
Id: 46086
Status: resolved
Priority: 50/50
Queue: bind9-public
People
Owner: Ondrej Sury <ondrej@isc.org>
Requestors:
Cc:
AdminCc:
Bug Information
Version Fixed: (no value)
Version Found: (no value)
Versions Affected: (no value)
Versions Planned: (no value)
Priority: P1 High
Severity: S1 High
CVSS Score: (no value)
CVE ID: (no value)
Component: (no value)
Area: bug
Dates
Created:Sun, 24 Sep 2017 05:44:51 -0400
Updated:Thu, 09 Nov 2017 06:39:01 -0500
Closed:Thu, 09 Nov 2017 06:39:01 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History Show full headers
# Sun, 24 Sep 2017 05:44:54 -0400 Mukund Sivaraman <muks@isc.org> - Ticket created [Reply] [Comment]
Date: Sun, 24 Sep 2017 15:14:39 +0530
Subject: tsiggss system test failing on Fedora 26 (master, v9_10 included)
To: bind9-bugs@isc.org
From: "Mukund Sivaraman" <muks@isc.org>
Download (untitled) / with headers
text/plain 315B
tsiggss system test is failing on Fedora 26, at least on master and v9_10. Versions of krb5 and OpenSSL are: krb5-libs-1.15.1-28.fc26.x86_64 openssl-1.1.0f-7.fc26.x86_64 It passes on Fedora 25 with the following versions of krb and OpenSSL: krb5-libs-1.14.4-9.fc25.x86_64 openssl-1.0.2k-1.fc25.x86_64 Mukund
# Sun, 24 Sep 2017 05:47:47 -0400 Mukund Sivaraman <muks@isc.org> - Priority P1 High added
# Sun, 24 Sep 2017 05:47:47 -0400 Mukund Sivaraman <muks@isc.org> - Severity S1 High added
# Wed, 27 Sep 2017 09:21:45 -0400 Francis Dupont <Francis_Dupont@isc.org> - Status changed from 'new' to 'open'
# Wed, 27 Sep 2017 09:21:45 -0400 Francis Dupont <Francis_Dupont@isc.org> - Taken
# Wed, 27 Sep 2017 09:22:34 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 76B
On Fedora Kerberos GSS code requires a krb5.conf file with a default realm.
# Wed, 27 Sep 2017 09:30:55 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 238B
On Wed Sep 27 13:22:34 2017, fdupont wrote: > On Fedora Kerberos GSS code requires a krb5.conf > file with a default realm. => done. Ready for review. BTW I don't know if we want a copyright in this trivial file (# is the comment char).
# Wed, 27 Sep 2017 09:30:56 -0400 Francis Dupont <Francis_Dupont@isc.org> - Status changed from 'open' to 'review'
# Wed, 27 Sep 2017 09:30:56 -0400 Francis Dupont <Francis_Dupont@isc.org> - Untaken
# Thu, 28 Sep 2017 13:26:22 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 229B
> => done. Ready for review. BTW I don't know if we want > a copyright in this trivial file (# is the comment char). This looks fine and I'm tempted to just merge it, but Mukund, can you confirm that it fixes the problem first?
# Thu, 28 Sep 2017 13:26:22 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mukund Sivaraman <muks@isc.org>
# Thu, 28 Sep 2017 15:36:06 -0400 Mukund Sivaraman <muks@isc.org> - Correspondence added [Reply] [Comment]
Date: Fri, 29 Sep 2017 01:05:58 +0530
Subject: Re: [ISC-Bugs #46086] tsiggss system test failing on Fedora 26 (master, v9_10 included)
To: "Evan Hunt via RT" <bind9-confidential@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
Download (untitled) / with headers
text/plain 1.3KiB
On Thu, Sep 28, 2017 at 05:26:22PM +0000, Evan Hunt via RT wrote: > > > => done. Ready for review. BTW I don't know if we want > > a copyright in this trivial file (# is the comment char). > > This looks fine and I'm tempted to just merge it, but Mukund, can you > confirm that it fixes the problem first? It does not. The following error occurs: 29-Sep-2017 01:00:57.407 gss cred: "muks@ISC.ORG", GSS_C_INITIATE, 30320 29-Sep-2017 01:00:57.407 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Request ticket server DNS/blu.example.nil@EXAMPLE.NIL kvno 1 enctype rc4-hmac found in keytab but cannot decrypt ticket. 29-Sep-2017 01:00:57.407 process_gsstkey(): dns_tsigerror_badkey After kdestroy: 29-Sep-2017 01:03:42.235 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No Kerberos credentials available (default cache: KEYRING:persistent:1000). 29-Sep-2017 01:03:42.235 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Request ticket server DNS/blu.example.nil@EXAMPLE.NIL kvno 1 enctype rc4-hmac found in keytab but cannot decrypt ticket. 29-Sep-2017 01:03:42.235 process_gsstkey(): dns_tsigerror_badkey Mukund
# Thu, 28 Sep 2017 16:54:14 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 1.5KiB
On Thu Sep 28 19:36:06 2017, muks wrote: > On Thu, Sep 28, 2017 at 05:26:22PM +0000, Evan Hunt via RT wrote: > > > > > => done. Ready for review. BTW I don't know if we want > > > a copyright in this trivial file (# is the comment char). > > > > This looks fine and I'm tempted to just merge it, but Mukund, can you > > confirm that it fixes the problem first? > > It does not. The following error occurs: > > 29-Sep-2017 01:00:57.407 gss cred: "muks@ISC.ORG", GSS_C_INITIATE, > 30320 > 29-Sep-2017 01:00:57.407 failed gss_accept_sec_context: GSSAPI error: > Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Request ticket server > DNS/blu.example.nil@EXAMPLE.NIL kvno 1 enctype rc4-hmac found in > keytab but cannot decrypt ticket. > 29-Sep-2017 01:00:57.407 process_gsstkey(): dns_tsigerror_badkey > > After kdestroy: > > 29-Sep-2017 01:03:42.235 failed gss_inquire_cred: GSSAPI error: Major > = Unspecified GSS failure. Minor code may provide more information, > Minor = No Kerberos credentials available (default cache: > KEYRING:persistent:1000). > 29-Sep-2017 01:03:42.235 failed gss_accept_sec_context: GSSAPI error: > Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Request ticket server > DNS/blu.example.nil@EXAMPLE.NIL kvno 1 enctype rc4-hmac found in > keytab but cannot decrypt ticket. > 29-Sep-2017 01:03:42.235 process_gsstkey(): dns_tsigerror_badkey => it looks like it uses a system wide krb5.conf. There is no muks@ISC.ORG in the system test. BTW how did you get these messages? Did you run the system test tests.sh?
# Thu, 28 Sep 2017 17:18:33 -0400 Mukund Sivaraman <muks@isc.org> - Correspondence added [Reply] [Comment]
To: "Francis Dupont via RT" <bind9-confidential@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
Date: Fri, 29 Sep 2017 02:48:22 +0530
Subject: Re: [ISC-Bugs #46086] tsiggss system test failing on Fedora 26 (master, v9_10 included)
Download (untitled) / with headers
text/plain 13KiB
On Thu, Sep 28, 2017 at 08:54:15PM +0000, Francis Dupont via RT wrote: > => it looks like it uses a system wide krb5.conf. There is no > muks@ISC.ORG in the system test. I was kinit'd as muks@ISC.ORG, so I used kdestroy to forget it. The second part of log messagees in the previous message is from when muks@ISC.ORG is no longer there. > BTW how did you get these messages? Did you run the system test > tests.sh? master branch: cd bin/tests/system sh ./run.sh tsiggss [muks@ponyo system]$ sh ./run.sh tsiggss S:tsiggss:Fri Sep 29 02:46:32 IST 2017 T:tsiggss:1:A A:System test tsiggss I:testing updates as administrator I:testing update for testdc1.example.nil. A 86400 A 10.53.0.10 I:update failed for testdc1.example.nil. A 86400 A 10.53.0.10 I:Reply from SOA query: I:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64052 I:;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;testdc1.example.nil. IN SOA I: I:;; AUTHORITY SECTION: I:example.nil. 0 IN SOA blu.example.nil. hostmaster.example.nil. 2010113027 172800 14400 3628800 604800 I: I:Found zone name: example.nil I:The master is: blu.example.nil I:start_gssrequest I:Found realm from ticket: EXAMPLE.NIL I:send_gssrequest I:recvmsg reply from GSS-TSIG query I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8734 I:;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;2145557875.sig-blu.example.nil. ANY TKEY I: I:;; ANSWER SECTION: I:2145557875.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 I: I:dns_tkey_gssnegotiate: TKEY is unacceptable I:Outgoing update query: I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8734 I:;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I:;; QUESTION SECTION: I:;2145557875.sig-blu.example.nil. ANY TKEY I: I:;; ADDITIONAL SECTION: I:2145557875.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 1506633392 1506633392 3 NOERROR 1321 YIIFJQYGKwYBBQUCoIIFGTCCBRWgDTALBgkqhkiG9xIBAgKiggUCBIIE /mCCBPoGCSqGSIb3EgECAgEAboIE6TCCBOWgAwIBBaEDAgEOogcDBQAg AAAAo4ID2GGCA9QwggPQoAMCAQWhDRsLRVhBTVBMRS5OSUyiITAfoAMC AQGhGDAWGwNETlMbD2JsdS5leGFtcGxlLm5pbKOCA5UwggORoAMCAReh AwIBAaKCA4MEggN/8vU9EgEjUL8Mp1I6zgbLg9V73u71FN0/Q01OKOve PDQot0QM2QH1scDk91jEtmjnamcIbZ8aXlm+wj3jJU+WZsOxw/KiEljo xbTkP05fnx8LNPX5Sr+KR8Id1D87bRzPVxKRDEmIrs7jnBLQoKLjrGhU UGqYK1CkHNfBd3VWj3viR50jnYTT8rU97N1FSgJ8Cx21AffPS0vaUHgF SVU8DIfvXoLkNlRCT/O3qPF/utVcKhnUb2QInxQq4DXVWISwIhVYt65e R0ajp46pcjCV1rTtJGKhyopdxhGGfBetyxn+wQaMRuQKGYgHKi3UQY5D 397Vc9FlQVc5x5pGSVX42OWeyg3KzSGgcBtylo/+Xdlid8b6P5BkcTiS +jWIX0HUpx9c4CCTIZ8mWjoMowEP9TrTNCDgXyaT19N/TPQ2kC4CLnX5 MsYg6MBZ1F/hhmmtUpQ9VXcKZXBP7CDxY7528da3+EeVJZWyT/6w940C x1XincAfpWqOMDQsjDTXroeYp9fxtgtzTxAXS3k3wManDf/WW3f2eBeY BV4DGg/zARBiIibf24ElYEb8EaBpj2fFR35PO8RhMmDIw/vfWWQm2d49 /KuxSRyBOAWwKd2xDJXlUuS8SZnerZC0XGv3LitLBUDsnd3y0VwsHanO 2NjyUiqR/Wmyf+gKiKVEM08931DFwUOwdSh9V2pwGpUI07MnGhVJrcmQ 1UbRlTDPmpPWLD/SEqqkxDLcL401gkYk79EuePvQJbRsN/5gYd3hDCKX 0J+tjNjpN74QMknU529IUYu63QnWPw1Lvgl6TMqgugGCTy07HJa4IfGS t6NMakMON0/D06PDwaCwvPQLyPJKC81CekqMfjaS6DXj67cFKOyNWeQI JvUv24fxrmoLJKhA7MLwlUBNAaKLS4EMdp+uQbZ9Zxrh3Lfm1lO4JEWp YJ4Yrf8gC+OFzz5Iho7PcEI7BkDcHgChDFp1F4uDKW2tIkfBohceoeWS k/e5+aL8ccMlex7BnBMb+5ip1BX0EnimPwET66Xxnc96H/QftFypp3AD o2u2Bqu6EK0IKO1eBQHTrC6Y9Fv5J5Bc/tRyeTMkYoyzr7DWr3/32e0e CfyGtKFby3CRtJ74nW1X4P15xekp3whHfkZq1hfGXMrDEkFH3It8F2o2 IWvMoQkuuaBHhekkWVrAW3TD1+qcYflEt6SB8zCB8KADAgEXooHoBIHl QOPfWBrUx0Uz8g1zLxfHjvqrubwdK4Oe0RB4GPCspDHzSl732SfsvG1W V5w8LXcxTaVvnBO0pQPupqrPb+VStdFXnXk8npquzE0ynAmaia/6SiRg YhWVdDMy5Uxi52vjAkEoOToPlDYdc7tcaIY+yZBBzAXXdb7v7ocvDlfp Izz5GlE/BoZ98ksZM6dDmqrcW0mRJmFG8CbS9dix+mOCd046pdIqdgBN I/LSk2olbm33vXYkE/ATqoruOOKFi2CyTWWbnilk/oIPRbBTc3QzrMy3 /1fdFba47smSDgGk9CkvGtY4pg== 0 I: I:testing update for testdc2.example.nil. A 86400 A 10.53.0.11 I:update failed for testdc2.example.nil. A 86400 A 10.53.0.11 I:Reply from SOA query: I:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24209 I:;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;testdc2.example.nil. IN SOA I: I:;; AUTHORITY SECTION: I:example.nil. 0 IN SOA blu.example.nil. hostmaster.example.nil. 2010113027 172800 14400 3628800 604800 I: I:Found zone name: example.nil I:The master is: blu.example.nil I:start_gssrequest I:Found realm from ticket: EXAMPLE.NIL I:send_gssrequest I:recvmsg reply from GSS-TSIG query I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33251 I:;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;2657258321.sig-blu.example.nil. ANY TKEY I: I:;; ANSWER SECTION: I:2657258321.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 I: I:dns_tkey_gssnegotiate: TKEY is unacceptable I:Outgoing update query: I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33251 I:;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I:;; QUESTION SECTION: I:;2657258321.sig-blu.example.nil. ANY TKEY I: I:;; ADDITIONAL SECTION: I:2657258321.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 1506633392 1506633392 3 NOERROR 1321 YIIFJQYGKwYBBQUCoIIFGTCCBRWgDTALBgkqhkiG9xIBAgKiggUCBIIE /mCCBPoGCSqGSIb3EgECAgEAboIE6TCCBOWgAwIBBaEDAgEOogcDBQAg AAAAo4ID2GGCA9QwggPQoAMCAQWhDRsLRVhBTVBMRS5OSUyiITAfoAMC AQGhGDAWGwNETlMbD2JsdS5leGFtcGxlLm5pbKOCA5UwggORoAMCAReh AwIBAaKCA4MEggN/8vU9EgEjUL8Mp1I6zgbLg9V73u71FN0/Q01OKOve PDQot0QM2QH1scDk91jEtmjnamcIbZ8aXlm+wj3jJU+WZsOxw/KiEljo xbTkP05fnx8LNPX5Sr+KR8Id1D87bRzPVxKRDEmIrs7jnBLQoKLjrGhU UGqYK1CkHNfBd3VWj3viR50jnYTT8rU97N1FSgJ8Cx21AffPS0vaUHgF SVU8DIfvXoLkNlRCT/O3qPF/utVcKhnUb2QInxQq4DXVWISwIhVYt65e R0ajp46pcjCV1rTtJGKhyopdxhGGfBetyxn+wQaMRuQKGYgHKi3UQY5D 397Vc9FlQVc5x5pGSVX42OWeyg3KzSGgcBtylo/+Xdlid8b6P5BkcTiS +jWIX0HUpx9c4CCTIZ8mWjoMowEP9TrTNCDgXyaT19N/TPQ2kC4CLnX5 MsYg6MBZ1F/hhmmtUpQ9VXcKZXBP7CDxY7528da3+EeVJZWyT/6w940C x1XincAfpWqOMDQsjDTXroeYp9fxtgtzTxAXS3k3wManDf/WW3f2eBeY BV4DGg/zARBiIibf24ElYEb8EaBpj2fFR35PO8RhMmDIw/vfWWQm2d49 /KuxSRyBOAWwKd2xDJXlUuS8SZnerZC0XGv3LitLBUDsnd3y0VwsHanO 2NjyUiqR/Wmyf+gKiKVEM08931DFwUOwdSh9V2pwGpUI07MnGhVJrcmQ 1UbRlTDPmpPWLD/SEqqkxDLcL401gkYk79EuePvQJbRsN/5gYd3hDCKX 0J+tjNjpN74QMknU529IUYu63QnWPw1Lvgl6TMqgugGCTy07HJa4IfGS t6NMakMON0/D06PDwaCwvPQLyPJKC81CekqMfjaS6DXj67cFKOyNWeQI JvUv24fxrmoLJKhA7MLwlUBNAaKLS4EMdp+uQbZ9Zxrh3Lfm1lO4JEWp YJ4Yrf8gC+OFzz5Iho7PcEI7BkDcHgChDFp1F4uDKW2tIkfBohceoeWS k/e5+aL8ccMlex7BnBMb+5ip1BX0EnimPwET66Xxnc96H/QftFypp3AD o2u2Bqu6EK0IKO1eBQHTrC6Y9Fv5J5Bc/tRyeTMkYoyzr7DWr3/32e0e CfyGtKFby3CRtJ74nW1X4P15xekp3whHfkZq1hfGXMrDEkFH3It8F2o2 IWvMoQkuuaBHhekkWVrAW3TD1+qcYflEt6SB8zCB8KADAgEXooHoBIHl GbE/zadTJEAiX5W142Y5S4CVCGQab/gZ7/OHQRxjRyGye4cBEo1xWHmM fTrkfWZm2r/BzuQYqkktgPFSnyxNZ5wQFegLORROQEaUZgcvLcBJaooA nQFLLlMhaed98oqWdGv3Zso56z2LWtyPo3z4NZiO/EIjOcnEtpXeWLV4 8PBAgqc9SM3wduBKSJeVsroC1xMdw3lLUB3B2XQH6+U7n4Ezj9uRAvDy utHaV2IpvXY8st2F2uBiym6a37YCAtWcGFwWHZxUsA8yR8OZxp4VHZQE dzEwQD0oDYZgCKiO0ViqE0Melg== 0 I: I:testing updates as a user I:testing update for testdenied.example.nil. TXT 86400 TXT helloworld I:update failed for testdenied.example.nil. TXT 86400 TXT helloworld I:Reply from SOA query: I:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55486 I:;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;testdenied.example.nil. IN SOA I: I:;; AUTHORITY SECTION: I:example.nil. 0 IN SOA blu.example.nil. hostmaster.example.nil. 2010113027 172800 14400 3628800 604800 I: I:Found zone name: example.nil I:The master is: blu.example.nil I:start_gssrequest I:Found realm from ticket: EXAMPLE.NIL I:send_gssrequest I:recvmsg reply from GSS-TSIG query I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52424 I:;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;786568219.sig-blu.example.nil. ANY TKEY I: I:;; ANSWER SECTION: I:786568219.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 I: I:dns_tkey_gssnegotiate: TKEY is unacceptable I:Outgoing update query: I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52424 I:;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I:;; QUESTION SECTION: I:;786568219.sig-blu.example.nil. ANY TKEY I: I:;; ADDITIONAL SECTION: I:786568219.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 1506633392 1506633392 3 NOERROR 1259 YIIE5wYGKwYBBQUCoIIE2zCCBNegDTALBgkqhkiG9xIBAgKiggTEBIIE wGCCBLwGCSqGSIb3EgECAgEAboIEqzCCBKegAwIBBaEDAgEOogcDBQAg AAAAo4IDnWGCA5kwggOVoAMCAQWhDRsLRVhBTVBMRS5OSUyiITAfoAMC AQGhGDAWGwNETlMbD2JsdS5leGFtcGxlLm5pbKOCA1owggNWoAMCAReh AwIBAaKCA0gEggNEXrVGXH+CQCmXTmcw3qYaIiXDltiPCi20gnWRpKTW CyZJhiCZNfzIW4gBL8bYYfZ7SiVO+Hb7AbsPmtyAw9puT2PNEBayHEjw hkfFJuehjfDb4OuRshrSjjPq/FZr8LE50OGUMiBpywYAKNh5lktzjA/N ZHTAqpqmA1M+1TH5hKS13J+iymLati4arXkhHK9gHw3PwtyqII1WfeSR 1fI6sp1UlxGqF6C8VgBcGJHpn6ajQxXEV95ZTg6UHHjERUEJT3ZYVtKd Q2j7BoUf5L/VpjbJKDxJE3liMCQ+m/qchkugN2Lr2fHpeCir0llsXKLA 3I6eLrl4fmgXrDKTqhBcC4jfT4q8iKxYdMLgWA2g7WA9+xUXgYCEQXlS 5MxFlbC/YOkPOb/pBMU8fvJ1kCpeMuvLmIk/25UE6pusM9UoCUG3Rd7t TfuR50FY9+uwiNWpzZ+MTk5Vc/pHucAIjSGa1zrwew8rjmuE1dfzBWZh hCiesm7YWzeZ+BRNgin7FuiAM5fBsQyjF7weMo5HR99H2fqXq5SAYsnz 2wl5YLaRnwNNQFonNhFdgS2wDnz7MONXThHxhBzJDs/sRNl1HlH4ldzh 50ZI+z2hSnRH8ma/FY+G2bwSElCPB3sgXNg5hD1mchamrL+CxD5s70v+ h+eydtyXLFq3l2hNyntWFpFPe5UnRh8NpRZS9ZsxsiWhOe6m1CuLBuom FJXIXsB8kMMWgfpdbhEmN9+CXy+BNaENETUyBh8OldivHXX4sYL2T0Ub c/1K9oxCpCGBOcs3esPl2ucbCCLf/20kf+j8iyVVDdT0DN7dS7ReMtch pYCqJjVJNcD4WlwusorpE5ZtVtzhBa2v2lr4/bE5tVEqogkYi6tbBDTK j3CSJDckwxxzo1bCG7JoD25KJbUrN+F0JzO9jameENaWAA9HGa7D69FL gQDAamDrWg8dWP1BB2leUXoy3fcpxXawicGB2B2CTuIT8Xc43XFee8GW lKbGNt0TVWe1agI/TqnoNXut7kXwodCTkezrX7DRo0XM7iOmeUmAeXqh CF1nmm9p1CKq8UoK1g9VTCpvBMg9Io6I9LLEcop+8n7ZHwQLe7qSwSoe dQU/XbLyfgGkgfAwge2gAwIBF6KB5QSB4qd2lWfogmh15XLYINTPaEIi ntzBH4ge9WBztjOzbUfEhNPulHSAJX9g9czCu6B8AJzsEn2Ov6KxNt08 zFqf9vBZQ5NmrxGF3b4HnDwzQ70U3oAsGd/vmOG8ZznhfMGGOWLrcd9F QG0RK3ggkwkbFPzOxPbCYZEYJaXsICHwqHwP4NBHr7Ga4kcuDSi6peGw lElzQo3m1dkIOmt72Vba/oOwEQvjdFqTcHbf4LKghbi87ISqoqSerGzm h2b2yAnGQDGBwSEyy+zdh5qy1Hc3NljUeN1+euH7fE9k6/rBxh1bXIA= 0 I: I:testing external update policy I:testing update for testcname.example.nil. TXT 86400 CNAME testdenied.example.nil I:update failed for testcname.example.nil. TXT 86400 CNAME testdenied.example.nil I:Reply from SOA query: I:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43138 I:;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;testcname.example.nil. IN SOA I: I:;; AUTHORITY SECTION: I:example.nil. 0 IN SOA blu.example.nil. hostmaster.example.nil. 2010113027 172800 14400 3628800 604800 I: I:Found zone name: example.nil I:The master is: blu.example.nil I:start_gssrequest I:Found realm from ticket: EXAMPLE.NIL I:send_gssrequest I:recvmsg reply from GSS-TSIG query I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30350 I:;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 I:;; QUESTION SECTION: I:;4057323384.sig-blu.example.nil. ANY TKEY I: I:;; ANSWER SECTION: I:4057323384.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 I: I:dns_tkey_gssnegotiate: TKEY is unacceptable I:Outgoing update query: I:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30350 I:;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I:;; QUESTION SECTION: I:;4057323384.sig-blu.example.nil. ANY TKEY I: I:;; ADDITIONAL SECTION: I:4057323384.sig-blu.example.nil. 0 ANY TKEY gss-tsig. 1506633393 1506633393 3 NOERROR 1259 YIIE5wYGKwYBBQUCoIIE2zCCBNegDTALBgkqhkiG9xIBAgKiggTEBIIE wGCCBLwGCSqGSIb3EgECAgEAboIEqzCCBKegAwIBBaEDAgEOogcDBQAg AAAAo4IDnWGCA5kwggOVoAMCAQWhDRsLRVhBTVBMRS5OSUyiITAfoAMC AQGhGDAWGwNETlMbD2JsdS5leGFtcGxlLm5pbKOCA1owggNWoAMCAReh AwIBAaKCA0gEggNEXrVGXH+CQCmXTmcw3qYaIiXDltiPCi20gnWRpKTW CyZJhiCZNfzIW4gBL8bYYfZ7SiVO+Hb7AbsPmtyAw9puT2PNEBayHEjw hkfFJuehjfDb4OuRshrSjjPq/FZr8LE50OGUMiBpywYAKNh5lktzjA/N ZHTAqpqmA1M+1TH5hKS13J+iymLati4arXkhHK9gHw3PwtyqII1WfeSR 1fI6sp1UlxGqF6C8VgBcGJHpn6ajQxXEV95ZTg6UHHjERUEJT3ZYVtKd Q2j7BoUf5L/VpjbJKDxJE3liMCQ+m/qchkugN2Lr2fHpeCir0llsXKLA 3I6eLrl4fmgXrDKTqhBcC4jfT4q8iKxYdMLgWA2g7WA9+xUXgYCEQXlS 5MxFlbC/YOkPOb/pBMU8fvJ1kCpeMuvLmIk/25UE6pusM9UoCUG3Rd7t TfuR50FY9+uwiNWpzZ+MTk5Vc/pHucAIjSGa1zrwew8rjmuE1dfzBWZh hCiesm7YWzeZ+BRNgin7FuiAM5fBsQyjF7weMo5HR99H2fqXq5SAYsnz 2wl5YLaRnwNNQFonNhFdgS2wDnz7MONXThHxhBzJDs/sRNl1HlH4ldzh 50ZI+z2hSnRH8ma/FY+G2bwSElCPB3sgXNg5hD1mchamrL+CxD5s70v+ h+eydtyXLFq3l2hNyntWFpFPe5UnRh8NpRZS9ZsxsiWhOe6m1CuLBuom FJXIXsB8kMMWgfpdbhEmN9+CXy+BNaENETUyBh8OldivHXX4sYL2T0Ub c/1K9oxCpCGBOcs3esPl2ucbCCLf/20kf+j8iyVVDdT0DN7dS7ReMtch pYCqJjVJNcD4WlwusorpE5ZtVtzhBa2v2lr4/bE5tVEqogkYi6tbBDTK j3CSJDckwxxzo1bCG7JoD25KJbUrN+F0JzO9jameENaWAA9HGa7D69FL gQDAamDrWg8dWP1BB2leUXoy3fcpxXawicGB2B2CTuIT8Xc43XFee8GW lKbGNt0TVWe1agI/TqnoNXut7kXwodCTkezrX7DRo0XM7iOmeUmAeXqh CF1nmm9p1CKq8UoK1g9VTCpvBMg9Io6I9LLEcop+8n7ZHwQLe7qSwSoe dQU/XbLyfgGkgfAwge2gAwIBF6KB5QSB4nlbsdOMQgItDkP0tk1rc2cc xcUqDQ278D9PfvMOYhautOrO0heWt2TXKJduK1U5vGKtyIIE9OmJDvCa HxJzXAYuKPGtGSN4+MiTOfrWQ4YtjIEHQj4Polvp5zaQ+yWijItro5XH KT+nzFyY5DJq8mC/6ao1cgQSSYdJ0ZtH1DViELntWKlD8EeXCwjbYpGP Q5OndoMJrcSOUCIUWo5Rz0dgl/xOesfH6dlm54497z6S31nzoRTNXffk g3xzHJnknYNNQA1/dhNkewQj8prY+G4sHpdqiQ6GqrMXhuqRk5wztVk= 0 I: I:testing external policy with SIG(0) key I:ensure too long realm name is fatal in non-interactive mode I:ensure too long realm name is not fatal in interactive mode I:exit status: 1 R:FAIL E:tsiggss:Fri Sep 29 02:46:34 IST 2017 [muks@ponyo system]$ Mukund
# Thu, 28 Sep 2017 17:49:49 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 708B
On Thu Sep 28 21:18:33 2017, muks wrote: > On Thu, Sep 28, 2017 at 08:54:15PM +0000, Francis Dupont via RT wrote: > > => it looks like it uses a system wide krb5.conf. There is no > > muks@ISC.ORG in the system test. > > I was kinit'd as muks@ISC.ORG, so I used kdestroy to forget it. The > second part of log messages in the previous message is from when > muks@ISC.ORG is no longer there. => it is not the config or the ccache but another thing. Can you check the environment variables including the defaults (cf https://web.mit.edu/kerberos/krb5-1.12/doc/admin/env_variables.html) and see if one should be (re)set. On my VM I did not install any Kerberos thing: I just got what is installed by default.
# Fri, 29 Sep 2017 12:33:44 -0400 Curtis Blackburn <ckb@isc.org> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #46086] tsiggss system test failing on Fedora 26 (master, v9_10 included)
To: bind9-confidential@isc.org
Date: Fri, 29 Sep 2017 09:28:31 -0700
From: "Curtis Blackburn" <ckb@isc.org>
Download (untitled) / with headers
text/plain 1KiB
I see the same failure (I think) on the fedora26 node on jenkins: https://jenkins.isc.org/view/BIND/job/bind9-master-fedora26-64/lastCompletedBuild/testReport/bind/system/tsiggss/ this vm is a default install with only the things needed to compile bind and run jenkins installed. ~Curtis On 9/28/17 2:49 PM, Francis Dupont via RT wrote: > On Thu Sep 28 21:18:33 2017, muks wrote: > > On Thu, Sep 28, 2017 at 08:54:15PM +0000, Francis Dupont via RT wrote: > >> => it looks like it uses a system wide krb5.conf. There is no > >> muks@ISC.ORG in the system test. > > > > I was kinit'd as muks@ISC.ORG, so I used kdestroy to forget it. The > > second part of log messages in the previous message is from when > > muks@ISC.ORG is no longer there. > > => it is not the config or the ccache but another thing. > Can you check the environment variables including the defaults > (cf https://web.mit.edu/kerberos/krb5-1.12/doc/admin/env_variables.html) > and see if one should be (re)set. On my VM I did not install > any Kerberos thing: I just got what is installed by default. > >
# Mon, 09 Oct 2017 06:26:52 -0400 Ondrej Sury <ondrej@isc.org> - Queue changed from #6 to bind9-public
# Mon, 09 Oct 2017 16:39:45 -0400 Petr Menšík <pemensik@redhat.com> - Correspondence added [Reply] [Comment]
Subject: [ISC-Bugs #46086] tsiggss system test failing on Fedora 26 (master, v9_10 included)
To: bind9-confidential@isc.org
From: "Petr Menšík" <pemensik@redhat.com>
Date: Mon, 9 Oct 2017 22:39:38 +0200
Download (untitled) / with headers
text/plain 626B
Hello, just a small note for tsiggss test on Fedora 26 (and later as well). It will pass just fine if started with $ KRB5_CONFIG=/dev/null sh run.sh tsiggss There is KRB5_CONFIG environment in tests.sh right at the start. However named server is started by start.pl script before prep and tests.sh are started. It inherits system defaults. If KRB5_CONFIG=/dev/null is exported from conf.sh, test will pass again. I am surprised it works on Fedora 25 without a change, but I think it is test configuration issue. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@redhat.com PGP: 65C6C973
# Mon, 09 Oct 2017 17:26:09 -0400 Ondrej Sury <ondrej@isc.org> - Correspondence added [Reply] [Comment]
RT-Send-CC: pemensik@redhat.com
Download (untitled) / with headers
text/plain 1.7KiB
On Mon Oct 09 20:39:45 2017, pemensik@redhat.com wrote: > Hello, > > just a small note for tsiggss test on Fedora 26 (and later as well). It > will pass just fine if started with > $ KRB5_CONFIG=/dev/null sh run.sh tsiggss > > There is KRB5_CONFIG environment in tests.sh right at the start. However > named server is started by start.pl script before prep and tests.sh are > started. It inherits system defaults. If KRB5_CONFIG=/dev/null is > exported from conf.sh, test will pass again. I am surprised it works on > Fedora 25 without a change, but I think it is test configuration issue. Thanks for the debugging on Fedora, this is much appreciated. Here's the patch I pushed to our repo: diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 0d63f129e8..3672e1c662 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -65,6 +65,9 @@ MAKEJOURNAL=$TOP/bin/tests/makejournal PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries SAMPLEUPDATE=$TOP/lib/samples/sample-update +# we don't want a KRB5_CONFIG setting breaking the tests +KRB5_CONFIG=/dev/null + # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. # v6synth @@ -150,6 +153,7 @@ export KEYFRLAB export KEYGEN export KEYSETTOOL export KEYSIGNER +export KRB5_CONFIG export MAKEJOURNAL export MDIG export NAMED diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh index 42d1db0dd8..2fb850717f 100644 --- a/bin/tests/system/tsiggss/tests.sh +++ b/bin/tests/system/tsiggss/tests.sh @@ -15,10 +15,6 @@ status=0 DIGOPTS="@10.53.0.1 -p 5300" -# we don't want a KRB5_CONFIG setting breaking the tests -KRB5_CONFIG=/dev/null -export KRB5_CONFIG - test_update() { host="$1" type="$2" Ondrej
# Tue, 10 Oct 2017 11:07:24 -0400 Mukund Sivaraman <muks@isc.org> - Given to Ondrej Sury <ondrej@isc.org>
# Wed, 11 Oct 2017 02:32:23 -0400 Ondrej Sury <ondrej@isc.org> - Status changed from 'review' to 'qa'
# Wed, 11 Oct 2017 11:53:20 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 104B
> Merged into master This also needed to be backported to v9_11, v9_10 and v9_9; I've taken care of it.
# Thu, 09 Nov 2017 06:39:01 -0500 Stephen Morris <stephen@isc.org> - Status changed from 'qa' to 'resolved'