Update DNS with wildcard record - TSIG error with server / GSS verify errorIs a wildcard CNAME DNS record valid?ISC Bind support for GSS-TSIG DDNS Updates?Creating a Wildcard DNS RecordIs a wildcard DNS record bad practice?DNS with underscore won't updateHow to use nsupdate to update a wildcard dns recordHow to do “dynamic apex” right in DNS/BIND?DNS “views” and controlling zone transfers with TSIGExclude autodiscover from DNS wildcard recordTroubleshooting AWS SES DKIM issues with CNAME records
How to model the curly cable part of the phone
I drew a randomly colored grid of points with tikz, how do I force it to remember the first grid from then on?
How do I tell my manager that his code review comment is wrong?
Position of past participle and extent of the Verbklammer
What is the difference between 反日 and 日本たたき?
Should I mention being denied entry to UK due to a confusion in my Visa and Ticket bookings?
Send iMessage from Firefox
Pronunciation of numbers with respect to years
How I can I roll a number of non-digital dice to get a random number between 1 and 150?
Why Isn’t SQL More Refactorable?
Expressing 'our' for objects belonging to our apartment
As matter approaches a black hole, does it speed up?
What was the first instance of a "planet eater" in sci-fi?
Getting a W on your transcript for grad school applications
What is the name of this hexagon/pentagon polyhedron?
Why are prions in animal diets not destroyed by the digestive system?
What property of a BJT transistor makes it an amplifier?
How can I close a gap between my fence and my neighbor's that's on his side of the property line?
Upside-Down Pyramid Addition...REVERSED!
If I readied a spell with the trigger "When I take damage", do I have to make a constitution saving throw to avoid losing Concentration?
How can I support myself financially as a 17 year old with a loan?
How did Shepard's and Grissom's speeds compare with orbital velocity?
Why do only some White Walkers shatter into ice chips?
On which topic did Indiana Jones write his doctoral thesis?
Update DNS with wildcard record - TSIG error with server / GSS verify error
Is a wildcard CNAME DNS record valid?ISC Bind support for GSS-TSIG DDNS Updates?Creating a Wildcard DNS RecordIs a wildcard DNS record bad practice?DNS with underscore won't updateHow to use nsupdate to update a wildcard dns recordHow to do “dynamic apex” right in DNS/BIND?DNS “views” and controlling zone transfers with TSIGExclude autodiscover from DNS wildcard recordTroubleshooting AWS SES DKIM issues with CNAME records
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.
For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?
cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF
nsupdate -g dns-update
Above works and ends with status: NOERROR.
Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.
In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.
$ nsupdate -g scripts/dns-update
; TSIG error with server: tsig verify failure
update failed: REFUSED
and with additional debug info
$ nsupdate -g -D -L 3 scripts/dns-update
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0
24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...
Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager
Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.
domain-name-system domain subdomain dns-zone nsupdate
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
add a comment |
I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.
For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?
cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF
nsupdate -g dns-update
Above works and ends with status: NOERROR.
Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.
In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.
$ nsupdate -g scripts/dns-update
; TSIG error with server: tsig verify failure
update failed: REFUSED
and with additional debug info
$ nsupdate -g -D -L 3 scripts/dns-update
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0
24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...
Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager
Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.
domain-name-system domain subdomain dns-zone nsupdate
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
1
Welcome to ServerFault. What have you tried? Based on my understanding,update add hostname1.baz.foo.example.com 86400 A 10.10.10.2andupdate add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3should work.
– Doug Deden
Apr 23 at 19:46
1
If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?
– Patrick Mevzek
Apr 23 at 23:50
@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).
– Majus Misiak
Apr 24 at 10:38
add a comment |
I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.
For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?
cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF
nsupdate -g dns-update
Above works and ends with status: NOERROR.
Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.
In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.
$ nsupdate -g scripts/dns-update
; TSIG error with server: tsig verify failure
update failed: REFUSED
and with additional debug info
$ nsupdate -g -D -L 3 scripts/dns-update
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0
24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...
Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager
Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.
domain-name-system domain subdomain dns-zone nsupdate
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.
For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?
cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF
nsupdate -g dns-update
Above works and ends with status: NOERROR.
Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.
In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in *.
$ nsupdate -g scripts/dns-update
; TSIG error with server: tsig verify failure
update failed: REFUSED
and with additional debug info
$ nsupdate -g -D -L 3 scripts/dns-update
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0
24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...
Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager
Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.
domain-name-system domain subdomain dns-zone nsupdate
domain-name-system domain subdomain dns-zone nsupdate
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
edited Apr 24 at 10:36
Majus Misiak
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
asked Apr 23 at 19:24
Majus MisiakMajus Misiak
11
11
1
Welcome to ServerFault. What have you tried? Based on my understanding,update add hostname1.baz.foo.example.com 86400 A 10.10.10.2andupdate add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3should work.
– Doug Deden
Apr 23 at 19:46
1
If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?
– Patrick Mevzek
Apr 23 at 23:50
@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).
– Majus Misiak
Apr 24 at 10:38
add a comment |
1
Welcome to ServerFault. What have you tried? Based on my understanding,update add hostname1.baz.foo.example.com 86400 A 10.10.10.2andupdate add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3should work.
– Doug Deden
Apr 23 at 19:46
1
If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?
– Patrick Mevzek
Apr 23 at 23:50
@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).
– Majus Misiak
Apr 24 at 10:38
1
1
Welcome to ServerFault. What have you tried? Based on my understanding,
update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.– Doug Deden
Apr 23 at 19:46
Welcome to ServerFault. What have you tried? Based on my understanding,
update add hostname1.baz.foo.example.com 86400 A 10.10.10.2 and update add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3 should work.– Doug Deden
Apr 23 at 19:46
1
1
If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?
– Patrick Mevzek
Apr 23 at 23:50
If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?
– Patrick Mevzek
Apr 23 at 23:50
@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).
– Majus Misiak
Apr 24 at 10:38
@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).
– Majus Misiak
Apr 24 at 10:38
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964300%2fupdate-dns-with-wildcard-record-tsig-error-with-server-gss-verify-error%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964300%2fupdate-dns-with-wildcard-record-tsig-error-with-server-gss-verify-error%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Welcome to ServerFault. What have you tried? Based on my understanding,
update add hostname1.baz.foo.example.com 86400 A 10.10.10.2andupdate add *.hostname2.baz.foo.example.com 86400 A 10.10.10.3should work.– Doug Deden
Apr 23 at 19:46
1
If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try?
– Patrick Mevzek
Apr 23 at 23:50
@DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people).
– Majus Misiak
Apr 24 at 10:38