nsupdate does not use all name servers from resolv.conf
Summary
nsupdate(1) does not traverse all nameservers from resolv.conf to resolve SOA record.
BIND version used
nsupdate 9.16.16 on FreeBSD 12.2-RELEASE
Steps to reproduce
Run:
# /usr/local/bin/nsupdate -DD -g /usr/local/etc/register-hostnames.nsupdate
# cat /usr/local/bin/nsupdate -DD -g /usr/local/etc/register-hostnames.nsupdate
zone ad001.siemens.net
update add HOST.ad001.siemens.net 3600 A 146.254.X.Y
sendWhat is the current bug behavior?
nsupdate says:
response to SOA query was unsuccessfulWell, host says:
# host -t SOA ad001.siemens.net
ad001.SIEMENS.net has SOA record DC.ad001.siemens.net. ...\.siemens.com. 119802228 10800 3600 604800 3600My resolv.conf is the following:
# cat /etc/resolv.conf
domain ad001.siemens.net
search ad001.siemens.net bln.siemens.de bln3.siemens.de
nameserver NS-A
nameserver NS-B
nameserver BIGSEC
options timeout:1 attempts:2NS-A runs bind9 on FreeBSD 12-STABLE, NS-B runs bin9 on RHEL7, BIGSEC is out of my control and company wide.
What is the expected correct behavior?
Update record in Active Directory with GSS-TSIG.
Relevant logs and/or screenshots
I ran tcpdump while nsupdate was working. My expectation is that nsupdate will try all nameservers to resolve the SOA record, but it stops at first one:
# tcpdump -v -i vnet0 udp
tcpdump: listening on vnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:00:59.088426 IP (tos 0x0, ttl 64, id 30865, offset 0, flags [none], proto UDP (17), length 63)
HOST.ad001.siemens.net.59520 > NS-A.domain: 42421+ SOA? ad001.siemens.net. (35)
13:00:59.088849 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 63)
NS-A.domain > HOST.ad001.siemens.net.59520: 42421 Refused- 0/0/0 (35)
13:00:59.088928 IP (tos 0x0, ttl 64, id 15837, offset 0, flags [none], proto UDP (17), length 71)
HOST.ad001.siemens.net.17552 > NS-A.domain: 5051+ PTR? NS-A-IP.in-addr.arpa. (43)
13:00:59.089185 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 114)
NS-A.domain > HOST.ad001.siemens.net.17552: 5051*- 1/0/0 NS-A-IP.in-addr.arpa. PTR NS-A. (86)For some reason I need to investigate the named on FreeBSD does not respond with the SOA records.
Now the same with the host command:
# tcpdump -v -i vnet0 udp
tcpdump: listening on vnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:03:18.496214 IP (tos 0x0, ttl 64, id 30867, offset 0, flags [none], proto UDP (17), length 63)
HOST.ad001.siemens.net.43313 > NS-A.domain: 46818+ SOA? ad001.siemens.net. (35)
13:03:18.496690 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 63)
NS-A.domain > HOST.ad001.siemens.net.43313: 46818 Refused- 0/0/0 (35)
13:03:18.496714 IP (tos 0x0, ttl 64, id 32357, offset 0, flags [none], proto UDP (17), length 71)
HOST.ad001.siemens.net.26366 > NS-A.domain: 20427+ PTR? NS-A-IP.in-addr.arpa. (43)
13:03:18.497085 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 114)
NS-A.domain > HOST.ad001.siemens.net.26366: 20427*- 1/0/0 NS-A-IP.in-addr.arpa. PTR NS-A. (86)
13:03:18.497420 IP (tos 0x0, ttl 64, id 30868, offset 0, flags [none], proto UDP (17), length 63)
HOST.ad001.siemens.net.31902 > NS-B.domain: 46818+ SOA? ad001.siemens.net. (35)
13:03:18.497485 IP (tos 0x0, ttl 64, id 32358, offset 0, flags [none], proto UDP (17), length 70)
HOST.ad001.siemens.net.45374 > NS-A.domain: 24116+ PTR? NS-B-IP.in-addr.arpa. (42)
13:03:18.497806 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 110)
NS-A.domain > HOST.ad001.siemens.net.45374: 24116*- 1/0/0 NS-B-IP.in-addr.arpa. PTR NS-B. (82)
13:03:18.499570 IP (tos 0x0, ttl 63, id 55996, offset 0, flags [none], proto UDP (17), length 533)
NS-B.domain > HOST.ad001.siemens.net.31902: 46818 1/13/11 ad001.SIEMENS.net. SOA DC.ad001.siemens.net. ...\.siemens.com. 119802228 10800 3600 604800 3600 (505)In this case all nameservers are tried while nsupdate stops at the first one.