All,
We have an Active Directory environment here, but use bind9 as our DNS
servers. We have for years delegated out the zones:
_tcp.ic.ac.uk
_udp.ic.ac.uk
...and so forth, and used "allow-update" from the IPs of the AD servers.
We're moving to DNSSEC-sign our zones shortly and I though I might take
the opportunity to move to using GSS-TSIG and update-policy, and merge
these zones back in (and get them signed without the complication of a
DS record)
However I can't seem to get even a basic test setup running. I've
managed to puzzle out the exact syntax required in "named.conf" (yay -
case-sensitive GSS principle parsing, how helpful) but "nsupdate -g"
seems to simply not work, telling me:
buildquery error
dns_tkey_buildgssquery failed: ran out of space
...or with more debugging:
setup_system()
reset_system()
user_interaction()
get_next_command()
get_next_command()
get_next_command()
evaluate_update()
update_addordelete()
get_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65231
;; flags: qr aa ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ic.ac.uk. IN SOA
;; ANSWER SECTION:
ic.ac.uk. 86400 IN SOA mname.ic.ac.uk. hostmaster.ic.ac.uk. 2006404671
2700 1800 3600000 86400
;; AUTHORITY SECTION:
ic.ac.uk. 86400 IN NS mname.ic.ac.uk.
;; ADDITIONAL SECTION:
mname.ic.ac.uk. 86400 IN A 192.168.1.1
Found zone name: ic.ac.uk
The master is: mname.ic.ac.uk
start_gssrequest
buildquery error
dns_tkey_buildgssquery failed: ran out of space
I do have an appropriate krb5.conf and indeed the kerberos ticket cache
lists a valid-looking ticket:
04/23/10 14:45:57 04/24/10 00:45:40 DNS/mname.ic.ac...@ic.ac.uk
renew until 04/24/10 00:45:35, Flags: FRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
Addresses: (none)
Does anyone have any suggestions?
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
