nsupdate with GSS-TSIG ignores server keyword
Summary
nsupdate -g
ignores server
keyword and sends updates to SOA MNAME (instead of sending them to server specified by user).
BIND version used
(Paste the output of named -V
.)
named -V
BIND 9.16.8-Ubuntu (Stable Release) <id:539f9f0>
running on Linux x86_64 5.4.0-84-generic #94-Ubuntu SMP Thu Aug 26 20:27:37 UTC 2021
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--disable-isc-spnego' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-ctcsDC/bind9-9.16.8=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 10.3.0
compiled with OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
linked to OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
- Configure GSS-TSIG (good luck...)
- Configure a test DNS zone ZZZ with SOA MNAME = MNAMEINSOA
- Run
nsupdate -g
- Use input which modifies a record in zone ZZZ and includes keyword
server DIFFERENTSERVER
(DIFFERENTSERVER != MNAMEINSOA)
What is the current bug behavior?
nsupdate
attempts to obtain Kerberos service ticket for DNS server name MNAMEINSOA (from SOA RR) and ignores value provided in keyword server
.
What is the expected correct behavior?
nsupdate
should respect value provided in server
keyword.
Relevant configuration files
named.conf:
zone "example.org" {
type master;
file "/var/lib/bind/db.example.org";
update-policy {
grant "DHCP/admin.example.org@EXAMPLE.ORG" zonesub any;
};
};
Input:
nsupdate -g <<EOF
server server.example.org
update add abc.example.org. 120 TXT "Hello from Kerberos"
send
EOF
Relevant logs and/or screenshots
setup_system()
reset_system()
user_interaction()
do_next_command()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37613
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;abc.example.org. IN SOA
;; AUTHORITY SECTION:
example.org. 0 IN SOA example.org. root.example.org. 8 604800 86400 2419200 604800
Found zone name: example.org
The master is: example.org <<<--- THIS SHOULD NOT HAPPEN
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
[404] 1632329550.171413: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal DHCP/admin.example.org@EXAMPLE.ORG for server principal DNS/example.org@EXAMPLE.ORG
Additional notes
We need to inspect other parameters as well.
Chat with investigation starts here: https://mattermost.isc.org/isc/pl/jrk7fqwp4pbr9n787qx7wi18gh