On Tue, Aug 26, 2025 at 02:02:46PM +0200, Petr Špaček wrote: ! On 26. 08. 25 13:24, Petr Špaček wrote: ! > On 26. 08. 25 12:31, Peter 'PMc' Much wrote: ! > > Out of recvsoa ! > > recvgss() ! > > recvgss creating rcvmsg ! > > show_message() ! > > recvmsg reply from GSS-TSIG query ! > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41256 ! > > ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ! > > ;; QUESTION SECTION: ! > > ;546671530.sig-conr-e.intra.daemon.contact. ANY TKEY ! > > ! > > ;; ANSWER SECTION: ! > > 546671530.sig-conr-e.intra.daemon.contact. 0 ANY TKEY gss-tsig. 0 0 ! > > 3 BADKEY 0 0 ! > > ! > > dns_tkey_gssnegotiate: TKEY is unacceptable ! > ! > TL;DR the _response_ is somehow wrong. ! > ! > I would add -L99 to nsupdate command line. ! > ! > Secondly I would add ! > KRB5_TRACE=/dev/stderr ! > to nsupdate invocation as well to see what krb5 library thinks of this. ! ! Sorry, it was pointed out to me I misread the log and that the error has ! happened on server side.
You're perfectly welcome for any and all suggestions! As this made me quite cluelessly hunt red herrings for more than two days now, any technical inspiration is welcome. :) ! I would run `KRB5_TRACE=/dev/stderr named -g -d 99` and check logs on that ! side. Hard to tell if krb5 will spit anything in the log, but it might be ! worth a try. Doing. ! In any case, have you checked system time? :-) Good point, there is an issue with the clock occasionally loosing sync, but it doesn't happen always, it catches up again, and I haven't seen it being off more than 10-20 seconds. Still investigating, but that should not harm krb5. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
