X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org
Return-Path: <akarl10@mwsys.mine.bz>
Date: Tue, 12 Dec 2017 19:58:24 +0100
X-Original-To: bind9-public@bugs.isc.org
From: akarl10@mwsys.mine.bz
Content-Transfer-Encoding: 7Bit
X-Spam-Status: No, score=1.3 required=5.0 tests=RDNS_NONE autolearn=no autolearn_force=no version=3.4.1
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 5D163D78B0B for <bind9-public@bugs.isc.org>; Tue, 12 Dec 2017 18:59:04 +0000 (UTC)
Received: from xmpp.control.troyer.it (unknown [217.196.157.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 3D7783ACA26 for <bind-suggest@isc.org>; Tue, 12 Dec 2017 18:58:30 +0000 (UTC)
Received: from hydrofe.dsx.conet (unknown [IPv6:fd12:2017:8387:0:2c7f:6cff:fedf:d608]) by xmpp.control.troyer.it (Postfix) with ESMTP id 6BE7920344 for <bind-suggest@isc.org>; Tue, 12 Dec 2017 19:58:27 +0100 (CET)
Received: from oxygen.localnet (unknown [IPv6:fd12:2017:8387:0:10d6:a346:b9c4:f340]) (Authenticated sender: mike) by hydrofe.dsx.conet (Postfix) with ESMTPSA id 2776E2402AE for <bind-suggest@isc.org>; Tue, 12 Dec 2017 18:58:25 +0000 (UTC)
Message-ID: <2857256.qKTfev8j8D@oxygen>
Subject: use primary master server also for gss negotiation with nsupdate -g
Delivered-To: bind9-public@bugs.isc.org
X-Spam-Level: *
From akarl10@mwsys.mine.bz  Tue Dec 12 18:59:04 2017
X-RT-Incoming-Encryption: Not encrypted
MIME-Version: 1.0
content-type: text/plain; charset="utf-8"
To: bind-suggest@isc.org
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mwsys.mine.bz; s=mail; t=1513105106; bh=zLXWc5w2bCESHg0FPZF4j7RIc+45zWydIBsvv8Qu81A=; h=From:To:Subject:Date:From; b=hTx9G09U07qw7YDLpxZagTwseIQ62XavUgzr4LjL3vlZdz71qFjWFpWVN9BisYcq0 H12mMWl6Wqnwn1MifO6mokhJyG771teo3pJqoIGKDJh53072nPTuUI/qe3VMUzio41 SBzVitnCUUgKFDtobvrxEEcJGv2Hckb/cmIydAAasGW0WP7mAVpqkhWk3x4zvKh7Da 6q0mOAkdKcPRDKBpLIfBRnkXgBpsfl7g19/uy6q3wY3gJo4EbedqgP72W/m0aTQHOs 3ZBujzm2z1JpQLZHWBeS9e1FrQjvVqTQbtqjdkno+yjRVd9x5HqxiF8V0t6/DljkJl GkcDdaiBJ7+gQ==
X-RT-Original-Encoding: ascii
X-RT-Interface: Email
Content-Length: 777

nsupdate fails if the system dns resolver does not forward TKEY

I've seen this happening in this configuration:
https://github.com/systemd/systemd/issues/6727

The flow seams to be:
1. find primary master*
2. gss setup (over system defined dns server)
3. send signed update request to primary master

*there seams to be a fallback in place when no SOA is in AUTHORITY and ANSWER 
section: remove the leftmose dns label and repeat step 1

Using this "stub" resolver only QUERY and ANSWER section seem to be passed.

I would suggest a fallback for the case where TKEY gets filtered:
Talk with the primary master directly:

1. find primary master
2. gss setup (over system defined dns server, if it fails using primary master)
3. send signed update request to primary master