Update DNS with wildcard record - TSIG error with server / GSS verify errorIs a wildcard CNAME DNS record valid?ISC Bind support for GSS-TSIG DDNS Updates?Creating a Wildcard DNS RecordIs a wildcard DNS record bad practice?DNS with underscore won't updateHow to use nsupdate to update a wildcard dns recordHow to do “dynamic apex” right in DNS/BIND?DNS “views” and controlling zone transfers with TSIGExclude autodiscover from DNS wildcard recordTroubleshooting AWS SES DKIM issues with CNAME records

How to model the curly cable part of the phone

I drew a randomly colored grid of points with tikz, how do I force it to remember the first grid from then on?

How do I tell my manager that his code review comment is wrong?

Position of past participle and extent of the Verbklammer

What is the difference between 反日 and 日本たたき?

Should I mention being denied entry to UK due to a confusion in my Visa and Ticket bookings?

Send iMessage from Firefox

Pronunciation of numbers with respect to years

How I can I roll a number of non-digital dice to get a random number between 1 and 150?

Why Isn’t SQL More Refactorable?

Expressing 'our' for objects belonging to our apartment

As matter approaches a black hole, does it speed up?

What was the first instance of a "planet eater" in sci-fi?

Getting a W on your transcript for grad school applications

What is the name of this hexagon/pentagon polyhedron?

Why are prions in animal diets not destroyed by the digestive system?

What property of a BJT transistor makes it an amplifier?

How can I close a gap between my fence and my neighbor's that's on his side of the property line?

Upside-Down Pyramid Addition...REVERSED!

If I readied a spell with the trigger "When I take damage", do I have to make a constitution saving throw to avoid losing Concentration?

How can I support myself financially as a 17 year old with a loan?

How did Shepard's and Grissom's speeds compare with orbital velocity?

Why do only some White Walkers shatter into ice chips?

On which topic did Indiana Jones write his doctoral thesis?

Update DNS with wildcard record - TSIG error with server / GSS verify error

Is a wildcard CNAME DNS record valid?ISC Bind support for GSS-TSIG DDNS Updates?Creating a Wildcard DNS RecordIs a wildcard DNS record bad practice?DNS with underscore won't updateHow to use nsupdate to update a wildcard dns recordHow to do “dynamic apex” right in DNS/BIND?DNS “views” and controlling zone transfers with TSIGExclude autodiscover from DNS wildcard recordTroubleshooting AWS SES DKIM issues with CNAME records

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

-1

I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.

For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?

cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF

nsupdate -g dns-update

Above works and ends with status: NOERROR.

Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.

In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.

$ nsupdate -g scripts/dns-update 
; TSIG error with server: tsig verify failure
update failed: REFUSED

and with additional debug info

$ nsupdate -g -D -L 3 scripts/dns-update 
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0 

24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...

Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager

Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.

edited Apr 24 at 10:36

asked Apr 23 at 19:24

Majus Misiak

1

Welcome to ServerFault. What have you tried? Based on my understanding, update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.

– Doug Deden
Apr 23 at 19:46

1

If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?

– Patrick Mevzek
Apr 23 at 23:50

@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).

– Majus Misiak
Apr 24 at 10:38

add a comment |

-1

I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.

For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?

cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF

nsupdate -g dns-update

Above works and ends with status: NOERROR.

Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.

In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.

$ nsupdate -g scripts/dns-update 
; TSIG error with server: tsig verify failure
update failed: REFUSED

and with additional debug info

$ nsupdate -g -D -L 3 scripts/dns-update 
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0 

24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...

Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager

Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.

edited Apr 24 at 10:36

asked Apr 23 at 19:24

Majus Misiak

1

Welcome to ServerFault. What have you tried? Based on my understanding, update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.

– Doug Deden
Apr 23 at 19:46

1

If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?

– Patrick Mevzek
Apr 23 at 23:50

@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).

– Majus Misiak
Apr 24 at 10:38

add a comment |

-1

I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.

For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?

cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF

nsupdate -g dns-update

Above works and ends with status: NOERROR.

Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.

In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.

$ nsupdate -g scripts/dns-update 
; TSIG error with server: tsig verify failure
update failed: REFUSED

and with additional debug info

$ nsupdate -g -D -L 3 scripts/dns-update 
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0 

24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...

Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager

Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.

edited Apr 24 at 10:36

asked Apr 23 at 19:24

Majus Misiak

I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.

For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?

cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF

nsupdate -g dns-update

Above works and ends with status: NOERROR.

Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.

In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.

$ nsupdate -g scripts/dns-update 
; TSIG error with server: tsig verify failure
update failed: REFUSED

and with additional debug info

$ nsupdate -g -D -L 3 scripts/dns-update 
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0 

24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...

Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager

Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.

domain-name-system domain subdomain dns-zone nsupdate

edited Apr 24 at 10:36

asked Apr 23 at 19:24

Majus Misiak

edited Apr 24 at 10:36

asked Apr 23 at 19:24

Majus Misiak

edited Apr 24 at 10:36

asked Apr 23 at 19:24

Majus Misiak

asked Apr 23 at 19:24

Majus Misiak

asked Apr 23 at 19:24

Majus Misiak

1

Welcome to ServerFault. What have you tried? Based on my understanding, update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.

– Doug Deden
Apr 23 at 19:46

1

If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?

– Patrick Mevzek
Apr 23 at 23:50

@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).

– Majus Misiak
Apr 24 at 10:38

add a comment |

1

Welcome to ServerFault. What have you tried? Based on my understanding, update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.

– Doug Deden
Apr 23 at 19:46

1

If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?

– Patrick Mevzek
Apr 23 at 23:50

@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).

– Majus Misiak
Apr 24 at 10:38

Welcome to ServerFault. What have you tried? Based on my understanding, update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.

– Doug Deden
Apr 23 at 19:46

If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?

– Patrick Mevzek
Apr 23 at 23:50

@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).

– Majus Misiak
Apr 24 at 10:38

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964300%2fupdate-dns-with-wildcard-record-tsig-error-with-server-gss-verify-error%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Server Fault!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Otdfbt

0

Your Answer

Post as a guest

0

0

Post as a guest

Popular posts from this blog

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

0

Your Answer

Sign up or log in

Post as a guest

Post as a guest

0

0

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O﻿ / ﻿43.24775, -8.60070

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070