Report information
The Basics
Id:
46840
Status:
resolved
Priority:
Low/Low
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
<akarl10@mwsys.mine.bz>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Tue, 12 Dec 2017 13:59:06 -0500
Updated:Tue, 12 Dec 2017 17:40:35 -0500
Closed:Tue, 12 Dec 2017 17:40:35 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Tue, 12 Dec 2017 13:59:07 -0500 <akarl10@mwsys.mine.bz> - Ticket created
Date: Tue, 12 Dec 2017 19:58:24 +0100
From: akarl10@mwsys.mine.bz
Subject: use primary master server also for gss negotiation with nsupdate -g
To: bind-suggest@isc.org

nsupdate fails if the system dns resolver does not forward TKEY I've seen this happening in this configuration: https://github.com/systemd/systemd/issues/6727 The flow seams to be: 1. find primary master* 2. gss setup (over system defined dns server) 3. send signed update request to primary master *there seams to be a fallback in place when no SOA is in AUTHORITY and ANSWER section: remove the leftmose dns label and repeat step 1 Using this "stub" resolver only QUERY and ANSWER section seem to be passed. I would suggest a fallback for the case where TKEY gets filtered: Talk with the primary master directly: 1. find primary master 2. gss setup (over system defined dns server, if it fails using primary master) 3. send signed update request to primary master
Tue, 12 Dec 2017 17:32:35 -0500 Mark Andrews <marka@isc.org> - Taken
  Tue, 12 Dec 2017 17:40:34 -0500 Mark Andrews <marka@isc.org> - Correspondence added

This is fixed in the current maintenance release (BIND 9.10.6. Released 2017-07-28). Your OS is three maintenance releases behind the current release (BIND 9.10.3 Released 2015-09-16). I suggest that you open a bug report with them requesting that they integrate the current maintenance release. 4588. [bug] nsupdate could send queries for TKEY to the wrong server when using GSSAPI. Thanks to Tomas Hozza. [RT #39893]
Tue, 12 Dec 2017 17:40:35 -0500 The RT System itself - Status changed from 'new' to 'open'
Tue, 12 Dec 2017 17:40:35 -0500 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'resolved'
Tue, 12 Dec 2017 17:40:35 -0500 Mark Andrews <marka@isc.org> - Untaken