On 26.06.2015 16:51, BIND9 Bugs via RT wrote: > Greetings, > > This message was automatically generated to acknowledge receipt of > your recent email > "nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI", > and to let you know that we have opened a ticket for your request > (a summary of which appears below.) > > We do not need a further response from you, but if you do respond, > please include in the Subject of your reply the ID > '[ISC-Bugs #39893]' > so that we can match up your reply with our trouble ticket. > > What Happens Next > ================= > > Bug reports submitted to us in this manner are handled based on > perceived severity in relation to other bugs. We handle reports as > time permits so there is no guaranteed response time for these > reports. > > If you feel the issue you are reporting is a security issue, please > see http://www.isc.org/security/reporting-issues for details on how > to report it, including the PGP key you may use. > > If it is of a non-security yet still urgent matter, you may reply > to this message to add further information. > > > Other Support Options > ===================== > > If your organization requires more immediate attention, ISC offers > paid support options. Please see http://www.isc.org/services/support > for more information. > > If paid support is not an option, please consider making a donation > to ISC. We don't require a donation -- we will work on your report > just as quickly whether or not you can donate -- but we always need > and welcome community support. See http://www.isc.org/supportisc > > > Run a Supported Version > ======================= > > If you are not running a supported version of BIND, please upgrade. > Bug reports against unsupported versions of BIND are discouraged, > as your issue may have already been addressed. > > You can find the latest version of BIND here: > > https://www.isc.org/software/bind > > > For configuration help... > ========================= > > Questions regarding configuration or setup of BIND are addressed on > the bind-users list - to subscribe, visit: > > https://lists.isc.org/mailman/listinfo/bind-users > > > Thank you, > bind9-bugs@isc.org > > --------------------------------------------------------------------- > > Hi. > > While testing fix for [ISC-Bugs #39840] I found another issue in nsupdate. > > If using GSSAPI, then queries for TKEY are always sent to the servers > specified in the /etc/resolv.conf instead to the master server for the > zone. If the server is specified explicitly as 'server' option, Queries > are sent to the correct server. > > The problem is that the code in GSSAPI specific paths was not modified > to cope with changes done in upstream ticket RT#37925, especially the > use of master_servers instead of servers. > > I'm attaching packet dumps for illustration what happened: > - without fix and without explicit 'server' option > - without fix and with explicit 'server' option > - with fix without explicit 'server' option > > I'm also attaching the patch I used and tested. Although I'm not sure if > the code in recvgss() should be modified (as done by my patch), it > seemed reasonable. Since As I understood the code that if TKEY query to > the first master_server failed, it should be sent to the second one, if > there is any. Nevertheless the changes in start_gssrequest() are the key > to fixing the issue. > > Regards, > Hello. Any updates on this issue? The bug is causing issues to FreeIPA project in Fedora, which uses nsupdate. I would like to kindly ask you to review the patch I sent with the original report. If there are any changes needed for the fix to be merged, please let me know. Thank you. Regards, -- Tomas Hozza Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com