Skip to content

GitLab

Closed
Created by Michael Osipov@michael-o

nsupdate does not use all name servers from resolv.conf

Summary

nsupdate(1) does not traverse all nameservers from resolv.conf to resolve SOA record.

BIND version used

nsupdate 9.16.16 on FreeBSD 12.2-RELEASE

Steps to reproduce

Run:

#  /usr/local/bin/nsupdate -DD -g /usr/local/etc/register-hostnames.nsupdate
# cat /usr/local/bin/nsupdate -DD -g /usr/local/etc/register-hostnames.nsupdate
zone ad001.siemens.net
update add HOST.ad001.siemens.net 3600 A 146.254.X.Y
send

What is the current bug behavior?

nsupdate says:

response to SOA query was unsuccessful

Well, host says:

# host -t SOA ad001.siemens.net
ad001.SIEMENS.net has SOA record DC.ad001.siemens.net. ...\.siemens.com. 119802228 10800 3600 604800 3600

My resolv.conf is the following:

# cat /etc/resolv.conf
domain ad001.siemens.net
search ad001.siemens.net bln.siemens.de bln3.siemens.de
nameserver NS-A
nameserver NS-B
nameserver BIGSEC
options    timeout:1 attempts:2

NS-A runs bind9 on FreeBSD 12-STABLE, NS-B runs bin9 on RHEL7, BIGSEC is out of my control and company wide.

What is the expected correct behavior?

Update record in Active Directory with GSS-TSIG.

Relevant logs and/or screenshots

I ran tcpdump while nsupdate was working. My expectation is that nsupdate will try all nameservers to resolve the SOA record, but it stops at first one:

# tcpdump -v -i vnet0 udp
tcpdump: listening on vnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:00:59.088426 IP (tos 0x0, ttl 64, id 30865, offset 0, flags [none], proto UDP (17), length 63)
    HOST.ad001.siemens.net.59520 > NS-A.domain: 42421+ SOA? ad001.siemens.net. (35)
13:00:59.088849 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    NS-A.domain > HOST.ad001.siemens.net.59520: 42421 Refused- 0/0/0 (35)
13:00:59.088928 IP (tos 0x0, ttl 64, id 15837, offset 0, flags [none], proto UDP (17), length 71)
    HOST.ad001.siemens.net.17552 > NS-A.domain: 5051+ PTR? NS-A-IP.in-addr.arpa. (43)
13:00:59.089185 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 114)
    NS-A.domain > HOST.ad001.siemens.net.17552: 5051*- 1/0/0 NS-A-IP.in-addr.arpa. PTR NS-A. (86)

For some reason I need to investigate the named on FreeBSD does not respond with the SOA records.

Now the same with the host command:

# tcpdump -v -i vnet0 udp
tcpdump: listening on vnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:03:18.496214 IP (tos 0x0, ttl 64, id 30867, offset 0, flags [none], proto UDP (17), length 63)
    HOST.ad001.siemens.net.43313 > NS-A.domain: 46818+ SOA? ad001.siemens.net. (35)
13:03:18.496690 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    NS-A.domain > HOST.ad001.siemens.net.43313: 46818 Refused- 0/0/0 (35)
13:03:18.496714 IP (tos 0x0, ttl 64, id 32357, offset 0, flags [none], proto UDP (17), length 71)
    HOST.ad001.siemens.net.26366 > NS-A.domain: 20427+ PTR? NS-A-IP.in-addr.arpa. (43)
13:03:18.497085 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 114)
    NS-A.domain > HOST.ad001.siemens.net.26366: 20427*- 1/0/0 NS-A-IP.in-addr.arpa. PTR NS-A. (86)
13:03:18.497420 IP (tos 0x0, ttl 64, id 30868, offset 0, flags [none], proto UDP (17), length 63)
    HOST.ad001.siemens.net.31902 > NS-B.domain: 46818+ SOA? ad001.siemens.net. (35)
13:03:18.497485 IP (tos 0x0, ttl 64, id 32358, offset 0, flags [none], proto UDP (17), length 70)
    HOST.ad001.siemens.net.45374 > NS-A.domain: 24116+ PTR? NS-B-IP.in-addr.arpa. (42)
13:03:18.497806 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 110)
    NS-A.domain > HOST.ad001.siemens.net.45374: 24116*- 1/0/0 NS-B-IP.in-addr.arpa. PTR NS-B. (82)
13:03:18.499570 IP (tos 0x0, ttl 63, id 55996, offset 0, flags [none], proto UDP (17), length 533)
    NS-B.domain > HOST.ad001.siemens.net.31902: 46818 1/13/11 ad001.SIEMENS.net. SOA DC.ad001.siemens.net. ...\.siemens.com. 119802228 10800 3600 604800 3600 (505)

In this case all nameservers are tried while nsupdate stops at the first one.