content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Content-Length: 1233

Hi.

While testing fix for [ISC-Bugs #39840] I found another issue in nsupdate.

If using GSSAPI, then queries for TKEY are always sent to the servers
specified in the /etc/resolv.conf instead to the master server for the
zone. If the server is specified explicitly as 'server' option, Queries
are sent to the correct server.

The problem is that the code in GSSAPI specific paths was not modified
to cope with changes done in upstream ticket RT#37925, especially the
use of master_servers instead of servers.

I'm attaching packet dumps for illustration what happened:
- without fix and without explicit 'server' option
- without fix and with explicit 'server' option
- with fix without explicit 'server' option

I'm also attaching the patch I used and tested. Although I'm not sure if
the code in recvgss() should be modified (as done by my patch), it
seemed reasonable. Since As I understood the code that if TKEY query to
the first master_server failed, it should be sent to the second one, if
there is any. Nevertheless the changes in start_gssrequest() are the key
to fixing the issue.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                 http://cz.redhat.com