Configuring GSS-TSIG on Bind

/ DNS, BIND, GSS-TSIG, DDNS, Active Directory, Kerberos

GSS-TSIG on ISC Bind

A demonstration of how to successfully configure GSS-TSIG or secure dynamic updates on ISC Bind.

After several hours of trying to get this to work, perhaps this article would have been better named "GSS-TSIG on ISC Bind -- The Missing Manual".  I know in working with others, we experienced many trials and tribulations in getting it all to work.  GSS-TSIG DNS Updates or secure dynamic updates is an extension to TSIG based updates which implements secure key exchange. GSS API calls for the use of Kerberos for authentication, integrity and confidentiality by establishing a limited lifetime security context.  Once the security context is established, special TKEY resource records are used to securely exchange key material between the DNS Server and DNS Client. GSS-TSIG support has been present in the ISC Bind code since version 9.5.0, circa mid-summer of 2008. In this HOW-TO, we compiled ISC Bind 9.7.1-P2 on Fedora 13 (32-bit) and used a single Microsoft Windows 2008 Server running as an Active Directory Domain Controller for example.com.

Before we demonstrate secure dynamic updates, we must first address a "chicken-and-egg" issue.  We need our Active Directory Domain Controller up and running prior so we can configure our AD user and Kerberos Service Principal.  Prior to running dcpromo to promote our first AD Domain Controller or DC, we must have DNS up and running with dynamic DNS support.  So, It is recommended that ISC Bind is built and configured to be authoritative for the AD Domain and support dynamic DNS updates using the allow-update directive by supplying the IP address of the AD DC.

Building ISC Bind on Fedora, CentOS, or Red Hat Linux

In this exercise, a minimal install of the Fedora 13 and/or CentOS 5.5 (32-bit) operating system was installed.  Ensure that the following RPM dependencies are satisfied usign the yum command:

yum install openssl-devel
yum install gcc make perl
yum install krb5-workstation krb5-devel 

You will note that we did not specify libgssapi* modules.  The reason for this is that the GSS-API code is present and embedded in the krb5-workstation and krb5-devel library and development package. In our test, we used the latest version of ISC Bind (9.7.1-P2 was the current version at the time of this article). Unpack this version of bind and build as follows:

./configure --with-openssl --with-gssapi
make && make install 

Some key assumptions:

  • Configure our DNS server, dns1.example.com to be authoritative for the zone example.com
  • Configure our DNS server, dns1.example.com to be authoritative for the reverse zone 168.192.in-addr.arpa
  • Configure the zone(s) example.com and 168.192.in-addr.arpa to be dynamically updatable via the allow-update directive using the IP address of the AD DC(s) so they can inject any/all AD-related DNS records

Once that is complete, our ISC Bind name server should accept insecure dynamic DNS updates from the Domain Controllers for the forward zone example.com and the reverse zone 168.192.in-addr.arpa. At this point it is time to bring up the AD Domain Controller.

Active Directory Domain Controller Promotion

With our Unix DNS server configured to support dynamic updates, we change our focus to the configuration of the AD Domain and DC itself.  At this point, we can now run dcpromo.exe on our Windows Server 2008 to promote it to a Domain Controller or DC for example.com. Follow the wizard and at the conclusion of dcpromo.exe, make sure that all the AD related records were properly "injected" into our ISC Bind Server. Our DC will populate the BIND DNS server with the records that are contained in the %systemroot%\system32\config\netlogon.dns file. You can verify and validate that this occurred by either querying the name server for specific SRV, A, and CNAME records or by displaying the contents of the db.example.com.jnl file using the Bind-provided named-journalprint command.

Create AD user & Service Principal

Using the Microsoft Active Directory Users and Computers Microsoft Management Console or MMC, create an AD user called "dns1" in a zone such as example.com as shown in Fig. 1 - New User below.

Create a New AD User

NOTE: we chose the name "dns1" because it will represent the "instance" or hostname of the DNS server we plan to run ISC Bind on, i.e. dns1.example.com.  You should plan to add an AD User for each DNS server that will perform GSS-TSIG secure dynamic updates.

Give the AD user a strong password

Click Next, and set & confirm a strong password.  In this example, we chose to set a one-time fixed password so that we would not have to rebuild Kerberos keytab files with the new credentials. If you permit the password to change or require it to be rotated for security reasons, you will need to update the Kerberos keytab files that get configured on the remote DNS Servers.

Finish adding the new AD user

When done, click next to view the final user creation screen shown in Fig. 3. Click Finish to complete the task of creating our user.

Next, we must create a Kerberos Service Principal Name or SPN, that is mapped to our Active Directory User dns1. This is accomplished using the ktpass.exe utility that is installed on modern Microsoft Windows 2008 Server Installations.  If you are operating on Microsoft Windows 2003, you will need to install the Microsoft "Support Tools".  You MUST make sure to install the same release of the Support Tools as the version of Windows Server you are operating.  

Run ktpass.exe

Run the ktpass.exe utility with the following flags and/or options:

Parameter/Value Description
-princ DNS/dns1.example.com@EXAMPLE.COM This represents the Kerberos Service Principal Account for the <instance> dns1.example.com in the realm EXAMPLE.COM
-mapuser dns1@EXAMPLE.COM The Kerberos SPN is mapped to this AD User Account that was created
-mapOp set Specifies how the mapping attribute is set
+DesOnly Sets the encryption type to Des only
-ptype KRB5_NT_PRINCIPAL This is the type of Kerberos Principal
-pass Pa$$w0rd The password of the AD user dns1@EXAMPLE.COM must be correctly passed as an argument.
-out dns1.keytab This option names the output file for ktpass.exe.  The file that is outputted is a Kerberos Keytab File that can be imported or merged to an existing keytab file on the Unix Host. 


The ktpass.exe command above should be executed for as many Bind DNS server instances you plan to operate.  In our testing, we generated two such SPN instances for two (2) different Linux hosts that were running ISC Bind 9.7.2-P2, dns1.example.com and dns2.example.com. Copy each keytab file to a temporary directory on the corresponding instance or Linux host, e.g. dns1.keytab should be copied to /tmp on dns1.example.com.

Configuring The Kerberos Client on Linux

The first step is to ensure that the krb5-workstation utilities are properly installed, and that the location of the utilities are in your current PATH environment variable.  In our case, we added /usr/kerberos/bin to our default path. Set up Kerberos with a config similar to that shown below:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 30d
 forwardable = yes
 default_keytab_name = FILE:/etc/krb5.keytab

[realms]
 EXAMPLE.COM = {
  kdc = dc1.example.com:88
  admin_server = dc1.example.com:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Run the ktutil command to read in the freshly copied keytab file, and write out the full contents to our target keytab file as follows:

[root@dns1 ~]# ktutil
ktutil:  rkt /tmp/dns1.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3         DNS/dns1.example.com@EXAMPLE.COM
ktutil:  wkt /etc/krb5.keytab
ktutil:  quit
[root@dns1 ~]# 

If you are running ISC Bind as a lesser privileged user than the root user, you MUST set new ownership on the /etc/krb5.keytab file to the user that is running Bind. In our testing, we set the owner to 'named'.

Now, that our keytab file is in place, and our krb5.conf file is set up, you can initiate Kerberos authentication in obtaining Kerberos Tickets from the AD Server. This is done via the following command:

/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab DNS/dns1.example.com

If there is no output and/or the return value $? is 0, then the command completed without any errors. You can now view the Kerberos tickets that have been granted by:

[root@dns1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DNS/dns1.example.com@EXAMPLE.COM

Valid starting     Expires            Service principal
10/02/10 11:12:58  10/02/10 21:12:54  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 10/09/10 11:12:58

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

At this point, you should now have a working Kerberos Workstation or client that can authenticate and obtain Kerberos Tickets via the AD Domain Controller. If you run kdestroy, this command will remove any cached tickets from the Kerberos Client. Remove these cached tickets so that you don't have any cached tickets that will expire. Once that is done, the named process should renew tickets as needed to remain authenticated and capable of performing secure dynamic updates.

Configuring GSS-TSIG Secure Dynamic Updates

Previously, we had configured our DNS server to support dynamic DNS updates in the clear (insecure) by using the allow-update directive.  Now that our server has been "Kerberized", you can change the configuration of the name server to accept only secure dynamic updates by tweaking the server's global and zone configuration(s).  In the global options block of the named.conf file, you will need to add the tkey-gssapi-credential and tkey-domain directives.  The following was used for the example.com domain name server dns1.example.com:

tkey-gssapi-credential "DNS/dns1.example.com@EXAMPLE.COM";
tkey-domain "EXAMPLE.COM";

It was during the next part of the configuration, that we experienced difficulty in getting our configuration to work.  Since we are configuring secure dynamic updates on two zone(s), example.com, and 168.192.in-addr.arpa, we first needed to remove the allow-update { update_acl; }; because that directive is based upon IP access lists and is associated with insecure updates. The newer update-policy directive is what should be used to configure zones to support secure dynamic updates. We struggled with the documentation and exact syntax of this policy while trying to get GSS-TSIG working. The following syntax was used to get things working for our two (2) zones:

zone "example.com" { 
    type master;
    file "db.example.com";
    check-names ignore;
    allow-transfer { localhost; 192.168.0.0/16; };
    update-policy {
        grant * subdomain example.com. ANY;
    };
};

zone "168.192.in-addr.arpa" {
    type master;
    file "db.168.192.in-addr.arpa";
    check-names ignore;
    allow-transfer { localhost; 192.168.0.0/16; };
    update-policy {
        grant * subdomain 168.192.in-addr.arpa. PTR TXT;
    };
};

While the above configuration allowed our ISC Bind Server to handle GSS-TSIG secure dynamic updates, it is far less than optimal from a security perspective.  With all that said, how do we really know it's working? During testing, it's best to start named at a low debugging level so that log output shows details and evidence of the GSS-TSIG signed updates. Running ISC Bind in Debug level 6 will output logged messages as shown in the following:

Example 1 - GSS-TSIG logging output
client 192.168.0.30#54265: UDP request
client 192.168.0.30#54265: using view '_default'
client 192.168.0.30#54265: request is not signed
client 192.168.0.30#54265: recursion available
client 192.168.0.30#54265: update
client 192.168.0.30#54265: update 'example.com/IN' denied
client 192.168.0.30#54265: send
client 192.168.0.30#54265: sendto
client 192.168.0.30#54265: senddone
client 192.168.0.30#54265: next
client 192.168.0.30#54265: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58183: UDP request
client 192.168.0.30#58183: using view '_default'
client 192.168.0.30#58183: request is not signed
client 192.168.0.30#58183: recursion available
client 192.168.0.30#58183: query
client 192.168.0.30#58183: query '_ldap._tcp.pdc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#58183: send
client 192.168.0.30#58183: sendto
client 192.168.0.30#58183: senddone
client 192.168.0.30#58183: next
client 192.168.0.30#58183: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#61439: UDP request
client 192.168.0.30#61439: using view '_default'
client 192.168.0.30#61439: request is not signed
client 192.168.0.30#61439: recursion available
client 192.168.0.30#61439: query
client 192.168.0.30#61439: query '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#61439: send
client 192.168.0.30#61439: sendto
client 192.168.0.30#61439: senddone
client 192.168.0.30#61439: next
client 192.168.0.30#61439: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#62387: UDP request
client 192.168.0.30#62387: using view '_default'
client 192.168.0.30#62387: request is not signed
client 192.168.0.30#62387: recursion available
client 192.168.0.30#62387: query
client 192.168.0.30#62387: query '_kerberos._tcp.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#62387: send
client 192.168.0.30#62387: sendto
client 192.168.0.30#62387: senddone
client 192.168.0.30#62387: next
client 192.168.0.30#62387: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#54841: UDP request
client 192.168.0.30#54841: using view '_default'
client 192.168.0.30#54841: request is not signed
client 192.168.0.30#54841: recursion available
client 192.168.0.30#54841: query
client 192.168.0.30#54841: query 'example.com/NS/IN' approved
client 192.168.0.30#54841: send
client 192.168.0.30#54841: sendto
client 192.168.0.30#54841: senddone
client 192.168.0.30#54841: next
client 192.168.0.30#54841: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52472: UDP request
client 192.168.0.30#52472: using view '_default'
client 192.168.0.30#52472: request is not signed
client 192.168.0.30#52472: recursion available
client 192.168.0.30#52472: query
client 192.168.0.30#52472: query 'example.com/SOA/IN' approved
client 192.168.0.30#52472: send
client 192.168.0.30#52472: sendto
client 192.168.0.30#52472: senddone
client 192.168.0.30#52472: next
client 192.168.0.30#52472: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#65412: UDP request
client 192.168.0.30#65412: using view '_default'
client 192.168.0.30#65412: request is not signed
client 192.168.0.30#65412: recursion available
client 192.168.0.30#65412: update
client 192.168.0.30#65412: update 'example.com/IN' denied
client 192.168.0.30#65412: send
client 192.168.0.30#65412: sendto
client 192.168.0.30#65412: senddone
client 192.168.0.30#65412: next
client 192.168.0.30#65412: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#64663: UDP request
client 192.168.0.30#64663: using view '_default'
client 192.168.0.30#64663: request is not signed
client 192.168.0.30#64663: recursion available
client 192.168.0.30#64663: query
client 192.168.0.30#64663: query '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#64663: send
client 192.168.0.30#64663: sendto
client 192.168.0.30#64663: senddone
client 192.168.0.30#64663: next
client 192.168.0.30#64663: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#63907: UDP request
client 192.168.0.30#63907: using view '_default'
client 192.168.0.30#63907: request is not signed
client 192.168.0.30#63907: recursion available
client 192.168.0.30#63907: query
client 192.168.0.30#63907: query '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#63907: send
client 192.168.0.30#63907: sendto
client 192.168.0.30#63907: senddone
client 192.168.0.30#63907: next
client 192.168.0.30#63907: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#53769: UDP request
client 192.168.0.30#53769: using view '_default'
client 192.168.0.30#53769: request is not signed
client 192.168.0.30#53769: recursion available
client 192.168.0.30#53769: query
client 192.168.0.30#53769: query '_ldap._tcp.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#53769: send
client 192.168.0.30#53769: sendto
client 192.168.0.30#53769: senddone
client 192.168.0.30#53769: next
client 192.168.0.30#53769: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#53582: UDP request
client 192.168.0.30#53582: using view '_default'
client 192.168.0.30#53582: request is not signed
client 192.168.0.30#53582: recursion available
client 192.168.0.30#53582: query
client 192.168.0.30#53582: query '_ldap._tcp.e2353a0a-743e-4b46-825e-15983e663afc.domains._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#53582: send
client 192.168.0.30#53582: sendto
client 192.168.0.30#53582: senddone
client 192.168.0.30#53582: next
client 192.168.0.30#53582: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#56045: UDP request
client 192.168.0.30#56045: using view '_default'
client 192.168.0.30#56045: request is not signed
client 192.168.0.30#56045: recursion available
client 192.168.0.30#56045: query
client 192.168.0.30#56045: query '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#56045: send
client 192.168.0.30#56045: sendto
client 192.168.0.30#56045: senddone
client 192.168.0.30#56045: next
client 192.168.0.30#56045: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57159: UDP request
client 192.168.0.30#57159: using view '_default'
client 192.168.0.30#57159: request is not signed
client 192.168.0.30#57159: recursion available
client 192.168.0.30#57159: query
client 192.168.0.30#57159: query '_kerberos._tcp.dc._msdcs.example.com/SRV/IN' approved
client 192.168.0.30#57159: send
client 192.168.0.30#57159: sendto
client 192.168.0.30#57159: senddone
client 192.168.0.30#57159: next
client 192.168.0.30#57159: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#65199: UDP request
client 192.168.0.30#65199: using view '_default'
client 192.168.0.30#65199: request is not signed
client 192.168.0.30#65199: recursion available
client 192.168.0.30#65199: query
client 192.168.0.30#65199: query 'isatap.example.com/A/IN' approved
client 192.168.0.30#65199: send
client 192.168.0.30#65199: sendto
client 192.168.0.30#65199: senddone
client 192.168.0.30#65199: next
client 192.168.0.30#65199: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60772: UDP request
client 192.168.0.30#60772: using view '_default'
client 192.168.0.30#60772: request is not signed
client 192.168.0.30#60772: recursion available
client 192.168.0.30#60772: query
client 192.168.0.30#60772: query '_VLMCS._TCP.example.com/SRV/IN' approved
client 192.168.0.30#60772: send
client 192.168.0.30#60772: sendto
client 192.168.0.30#60772: senddone
client 192.168.0.30#60772: next
client 192.168.0.30#60772: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#49797: UDP request
client 192.168.0.30#49797: using view '_default'
client 192.168.0.30#49797: request is not signed
client 192.168.0.30#49797: recursion available
client 192.168.0.30#49797: query
client 192.168.0.30#49797: query 'example.com/A/IN' approved
client 192.168.0.30#49797: send
client 192.168.0.30#49797: sendto
client 192.168.0.30#49797: senddone
client 192.168.0.30#49797: next
client 192.168.0.30#49797: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51873: UDP request
client 192.168.0.30#51873: using view '_default'
client 192.168.0.30#51873: request is not signed
client 192.168.0.30#51873: recursion available
client 192.168.0.30#51873: query
client 192.168.0.30#51873: query 'example.com/SOA/IN' approved
client 192.168.0.30#51873: send
client 192.168.0.30#51873: sendto
client 192.168.0.30#51873: senddone
client 192.168.0.30#51873: next
client 192.168.0.30#51873: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60616: UDP request
client 192.168.0.30#60616: using view '_default'
client 192.168.0.30#60616: request is not signed
client 192.168.0.30#60616: recursion available
client 192.168.0.30#60616: update
client 192.168.0.30#60616: update 'example.com/IN' denied
client 192.168.0.30#60616: send
client 192.168.0.30#60616: sendto
client 192.168.0.30#60616: senddone
client 192.168.0.30#60616: next
client 192.168.0.30#60616: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60000: new TCP connection
client 192.168.0.30#60000: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: create new
client @0xb7e30008: create
client 192.168.0.30#60000: read
client @0xb7e30008: accept
client 192.168.0.30#60000: TCP request
client 192.168.0.30#60000: using view '_default'
client 192.168.0.30#60000: request is not signed
client 192.168.0.30#60000: recursion available
client 192.168.0.30#60000: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#60000: send
client 192.168.0.30#60000: sendto
client 192.168.0.30#60000: senddone
client 192.168.0.30#60000: next
client 192.168.0.30#60000: endrequest
client 192.168.0.30#60000: read
client 192.168.0.30#60000: next
client 192.168.0.30#60000: request failed: end of file
client 192.168.0.30#60000: endrequest
client 192.168.0.30#60000: closetcp
client 192.168.0.30#54539: UDP request
client 192.168.0.30#54539: using view '_default'
client 192.168.0.30#54539: request has valid signature
client 192.168.0.30#54539: recursion available
client 192.168.0.30#54539: update
client 192.168.0.30#54539: updating zone 'example.com/IN': adding an RR at 'example.com' A
client 192.168.0.30#54539: send
client 192.168.0.30#54539: sendto
client 192.168.0.30#54539: senddone
client 192.168.0.30#54539: next
client 192.168.0.30#54539: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#54764: UDP request
client 192.168.0.30#54764: using view '_default'
client 192.168.0.30#54764: request is not signed
client 192.168.0.30#54764: recursion available
client 192.168.0.30#54764: query
client 192.168.0.30#54764: query '_ldap._tcp.example.com/SOA/IN' approved
client 192.168.0.30#54764: send
client 192.168.0.30#54764: sendto
client 192.168.0.30#54764: senddone
client 192.168.0.30#54764: next
client 192.168.0.30#54764: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57595: UDP request
client 192.168.0.30#57595: using view '_default'
client 192.168.0.30#57595: request is not signed
client 192.168.0.30#57595: recursion available
client 192.168.0.30#57595: query
client 192.168.0.30#57595: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#57595: send
client 192.168.0.30#57595: sendto
client 192.168.0.30#57595: senddone
client 192.168.0.30#57595: next
client 192.168.0.30#57595: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#50997: UDP request
client 192.168.0.30#50997: using view '_default'
client 192.168.0.30#50997: request is not signed
client 192.168.0.30#50997: recursion available
client 192.168.0.30#50997: update
client 192.168.0.30#50997: update 'example.com/IN' denied
client 192.168.0.30#50997: send
client 192.168.0.30#50997: sendto
client 192.168.0.30#50997: senddone
client 192.168.0.30#50997: next
client 192.168.0.30#50997: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60844: new TCP connection
client 192.168.0.30#60844: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#60844: read
client 192.168.0.30#60844: TCP request
client 192.168.0.30#60844: using view '_default'
client 192.168.0.30#60844: request is not signed
client 192.168.0.30#60844: recursion available
client 192.168.0.30#60844: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#60844: send
client 192.168.0.30#60844: sendto
client 192.168.0.30#60844: senddone
client 192.168.0.30#60844: next
client 192.168.0.30#60844: endrequest
client 192.168.0.30#60844: read
client @0xb7f5ab90: accept
client 192.168.0.30#53756: UDP request
client 192.168.0.30#53756: using view '_default'
client 192.168.0.30#53756: request has valid signature
client 192.168.0.30#53756: recursion available
client 192.168.0.30#53756: update
client 192.168.0.30#60844: next
client 192.168.0.30#60844: request failed: end of file
client 192.168.0.30#60844: endrequest
client 192.168.0.30#60844: closetcp
client 192.168.0.30#53756: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.example.com' SRV
client 192.168.0.30#53756: send
client 192.168.0.30#53756: sendto
client 192.168.0.30#53756: senddone
client 192.168.0.30#53756: next
client 192.168.0.30#53756: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#63535: UDP request
client 192.168.0.30#63535: using view '_default'
client 192.168.0.30#63535: request is not signed
client 192.168.0.30#63535: recursion available
client 192.168.0.30#63535: query
client 192.168.0.30#63535: query '_ldap._tcp.Default-First-Site-Name._sites.example.com/SOA/IN' approved
client 192.168.0.30#63535: send
client 192.168.0.30#63535: sendto
client 192.168.0.30#63535: senddone
client 192.168.0.30#63535: next
client 192.168.0.30#63535: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60574: UDP request
client 192.168.0.30#60574: using view '_default'
client 192.168.0.30#60574: request is not signed
client 192.168.0.30#60574: recursion available
client 192.168.0.30#60574: query
client 192.168.0.30#60574: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#60574: send
client 192.168.0.30#60574: sendto
client 192.168.0.30#60574: senddone
client 192.168.0.30#60574: next
client 192.168.0.30#60574: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57993: UDP request
client 192.168.0.30#57993: using view '_default'
client 192.168.0.30#57993: request is not signed
client 192.168.0.30#57993: recursion available
client 192.168.0.30#57993: update
client 192.168.0.30#57993: update 'example.com/IN' denied
client 192.168.0.30#57993: send
client 192.168.0.30#57993: sendto
client 192.168.0.30#57993: senddone
client 192.168.0.30#57993: next
client 192.168.0.30#57993: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#62250: new TCP connection
client 192.168.0.30#62250: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#62250: read
client 192.168.0.30#62250: TCP request
client 192.168.0.30#62250: using view '_default'
client 192.168.0.30#62250: request is not signed
client 192.168.0.30#62250: recursion available
client 192.168.0.30#62250: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#62250: send
client 192.168.0.30#62250: sendto
client 192.168.0.30#62250: senddone
client 192.168.0.30#62250: next
client 192.168.0.30#62250: endrequest
client 192.168.0.30#62250: read
client @0xb7e30008: accept
client 192.168.0.30#59138: UDP request
client 192.168.0.30#59138: using view '_default'
client 192.168.0.30#59138: request has valid signature
client 192.168.0.30#59138: recursion available
client 192.168.0.30#59138: update
client 192.168.0.30#62250: next
client 192.168.0.30#62250: request failed: end of file
client 192.168.0.30#62250: endrequest
client 192.168.0.30#62250: closetcp
client 192.168.0.30#59138: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.Default-First-Site-Name._sites.example.com' SRV
client 192.168.0.30#59138: send
client 192.168.0.30#59138: sendto
client 192.168.0.30#59138: senddone
client 192.168.0.30#59138: next
client 192.168.0.30#59138: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#65172: UDP request
client 192.168.0.30#65172: using view '_default'
client 192.168.0.30#65172: request is not signed
client 192.168.0.30#65172: recursion available
client 192.168.0.30#65172: query
client 192.168.0.30#65172: query '_ldap._tcp.pdc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#65172: send
client 192.168.0.30#65172: sendto
client 192.168.0.30#65172: senddone
client 192.168.0.30#65172: next
client 192.168.0.30#65172: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58677: UDP request
client 192.168.0.30#58677: using view '_default'
client 192.168.0.30#58677: request is not signed
client 192.168.0.30#58677: recursion available
client 192.168.0.30#58677: query
client 192.168.0.30#58677: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#58677: send
client 192.168.0.30#58677: sendto
client 192.168.0.30#58677: senddone
client 192.168.0.30#58677: next
client 192.168.0.30#58677: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60049: UDP request
client 192.168.0.30#60049: using view '_default'
client 192.168.0.30#60049: request is not signed
client 192.168.0.30#60049: recursion available
client 192.168.0.30#60049: update
client 192.168.0.30#60049: update 'example.com/IN' denied
client 192.168.0.30#60049: send
client 192.168.0.30#60049: sendto
client 192.168.0.30#60049: senddone
client 192.168.0.30#60049: next
client 192.168.0.30#60049: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58315: new TCP connection
client 192.168.0.30#58315: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#58315: read
client 192.168.0.30#58315: TCP request
client 192.168.0.30#58315: using view '_default'
client 192.168.0.30#58315: request is not signed
client 192.168.0.30#58315: recursion available
client 192.168.0.30#58315: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#58315: send
client 192.168.0.30#58315: sendto
client 192.168.0.30#58315: senddone
client 192.168.0.30#58315: next
client 192.168.0.30#58315: endrequest
client 192.168.0.30#58315: read
client @0xb7f5ab90: accept
client 192.168.0.30#54319: UDP request
client 192.168.0.30#54319: using view '_default'
client 192.168.0.30#54319: request has valid signature
client 192.168.0.30#54319: recursion available
client 192.168.0.30#54319: update
client 192.168.0.30#58315: next
client 192.168.0.30#58315: request failed: end of file
client 192.168.0.30#58315: endrequest
client 192.168.0.30#58315: closetcp
client 192.168.0.30#54319: updating zone 'example.com/IN': deleting rrset at '_ldap._tcp.pdc._msdcs.example.com' SRV
client 192.168.0.30#54319: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.pdc._msdcs.example.com' SRV
client 192.168.0.30#54319: send
client 192.168.0.30#54319: sendto
client 192.168.0.30#54319: senddone
client 192.168.0.30#54319: next
client 192.168.0.30#54319: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58627: UDP request
client 192.168.0.30#58627: using view '_default'
client 192.168.0.30#58627: request is not signed
client 192.168.0.30#58627: recursion available
client 192.168.0.30#58627: query
client 192.168.0.30#58627: query '_ldap._tcp.e2353a0a-743e-4b46-825e-15983e663afc.domains._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#58627: send
client 192.168.0.30#58627: sendto
client 192.168.0.30#58627: senddone
client 192.168.0.30#58627: next
client 192.168.0.30#58627: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#64261: UDP request
client 192.168.0.30#64261: using view '_default'
client 192.168.0.30#64261: request is not signed
client 192.168.0.30#64261: recursion available
client 192.168.0.30#64261: query
client 192.168.0.30#64261: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#64261: send
client 192.168.0.30#64261: sendto
client 192.168.0.30#64261: senddone
client 192.168.0.30#64261: next
client 192.168.0.30#64261: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60358: UDP request
client 192.168.0.30#60358: using view '_default'
client 192.168.0.30#60358: request is not signed
client 192.168.0.30#60358: recursion available
client 192.168.0.30#60358: update
client 192.168.0.30#60358: update 'example.com/IN' denied
client 192.168.0.30#60358: send
client 192.168.0.30#60358: sendto
client 192.168.0.30#60358: senddone
client 192.168.0.30#60358: next
client 192.168.0.30#60358: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#63894: new TCP connection
client 192.168.0.30#63894: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#63894: read
client 192.168.0.30#63894: TCP request
client 192.168.0.30#63894: using view '_default'
client 192.168.0.30#63894: request is not signed
client 192.168.0.30#63894: recursion available
client 192.168.0.30#63894: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#63894: send
client 192.168.0.30#63894: sendto
client 192.168.0.30#63894: senddone
client 192.168.0.30#63894: next
client 192.168.0.30#63894: endrequest
client 192.168.0.30#63894: read
client @0xb7e30008: accept
client 192.168.0.30#59081: UDP request
client 192.168.0.30#59081: using view '_default'
client 192.168.0.30#59081: request has valid signature
client 192.168.0.30#59081: recursion available
client 192.168.0.30#59081: update
client 192.168.0.30#63894: next
client 192.168.0.30#63894: request failed: end of file
client 192.168.0.30#63894: endrequest
client 192.168.0.30#63894: closetcp
client 192.168.0.30#59081: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.e2353a0a-743e-4b46-825e-15983e663afc.domains._msdcs.example.com' SRV
client 192.168.0.30#59081: send
client 192.168.0.30#59081: sendto
client 192.168.0.30#59081: senddone
client 192.168.0.30#59081: next
client 192.168.0.30#59081: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51031: UDP request
client 192.168.0.30#51031: using view '_default'
client 192.168.0.30#51031: request is not signed
client 192.168.0.30#51031: recursion available
client 192.168.0.30#51031: query
client 192.168.0.30#51031: query '9c4ff8f2-c68f-421e-89b1-02a560fd5d1c._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#51031: send
client 192.168.0.30#51031: sendto
client 192.168.0.30#51031: senddone
client 192.168.0.30#51031: next
client 192.168.0.30#51031: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57622: UDP request
client 192.168.0.30#57622: using view '_default'
client 192.168.0.30#57622: request is not signed
client 192.168.0.30#57622: recursion available
client 192.168.0.30#57622: query
client 192.168.0.30#57622: query '_msdcs.example.com/SOA/IN' approved
client 192.168.0.30#57622: send
client 192.168.0.30#57622: sendto
client 192.168.0.30#57622: senddone
client 192.168.0.30#57622: next
client 192.168.0.30#57622: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52058: UDP request
client 192.168.0.30#52058: using view '_default'
client 192.168.0.30#52058: request is not signed
client 192.168.0.30#52058: recursion available
client 192.168.0.30#52058: query
client 192.168.0.30#52058: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#52058: send
client 192.168.0.30#52058: sendto
client 192.168.0.30#52058: senddone
client 192.168.0.30#52058: next
client 192.168.0.30#52058: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#59025: UDP request
client 192.168.0.30#59025: using view '_default'
client 192.168.0.30#59025: request is not signed
client 192.168.0.30#59025: recursion available
client 192.168.0.30#59025: update
client 192.168.0.30#59025: update 'example.com/IN' denied
client 192.168.0.30#59025: send
client 192.168.0.30#59025: sendto
client 192.168.0.30#59025: senddone
client 192.168.0.30#59025: next
client 192.168.0.30#59025: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#64000: new TCP connection
client 192.168.0.30#64000: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#64000: read
client 192.168.0.30#64000: TCP request
client 192.168.0.30#64000: using view '_default'
client 192.168.0.30#64000: request is not signed
client 192.168.0.30#64000: recursion available
client 192.168.0.30#64000: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#64000: send
client 192.168.0.30#64000: sendto
client 192.168.0.30#64000: senddone
client 192.168.0.30#64000: next
client 192.168.0.30#64000: endrequest
client 192.168.0.30#64000: read
client @0xb7f5ab90: accept
client 192.168.0.30#59913: UDP request
client 192.168.0.30#59913: using view '_default'
client 192.168.0.30#59913: request has valid signature
client 192.168.0.30#59913: recursion available
client 192.168.0.30#59913: update
client 192.168.0.30#64000: next
client 192.168.0.30#64000: request failed: end of file
client 192.168.0.30#64000: endrequest
client 192.168.0.30#64000: closetcp
client 192.168.0.30#59913: updating zone 'example.com/IN': deleting rrset at '9c4ff8f2-c68f-421e-89b1-02a560fd5d1c._msdcs.example.com' CNAME
client 192.168.0.30#59913: updating zone 'example.com/IN': adding an RR at '9c4ff8f2-c68f-421e-89b1-02a560fd5d1c._msdcs.example.com' CNAME
client 192.168.0.30#59913: send
client 192.168.0.30#59913: sendto
client 192.168.0.30#59913: senddone
client 192.168.0.30#59913: next
client 192.168.0.30#59913: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#62302: UDP request
client 192.168.0.30#62302: using view '_default'
client 192.168.0.30#62302: request is not signed
client 192.168.0.30#62302: recursion available
client 192.168.0.30#62302: query
client 192.168.0.30#62302: query '9c4ff8f2-c68f-421e-89b1-02a560fd5d1c._msdcs.example.com/CNAME/IN' approved
client 192.168.0.30#62302: send
client 192.168.0.30#62302: sendto
client 192.168.0.30#62302: senddone
client 192.168.0.30#62302: next
client 192.168.0.30#62302: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#62619: UDP request
client 192.168.0.30#62619: using view '_default'
client 192.168.0.30#62619: request is not signed
client 192.168.0.30#62619: recursion available
client 192.168.0.30#62619: query
client 192.168.0.30#62619: query '_ldap._tcp.dc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#62619: send
client 192.168.0.30#62619: sendto
client 192.168.0.30#62619: senddone
client 192.168.0.30#62619: next
client 192.168.0.30#62619: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#54932: UDP request
client 192.168.0.30#54932: using view '_default'
client 192.168.0.30#54932: request is not signed
client 192.168.0.30#54932: recursion available
client 192.168.0.30#54932: query
client 192.168.0.30#54932: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#54932: send
client 192.168.0.30#54932: sendto
client 192.168.0.30#54932: senddone
client 192.168.0.30#54932: next
client 192.168.0.30#54932: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51741: UDP request
client 192.168.0.30#51741: using view '_default'
client 192.168.0.30#51741: request is not signed
client 192.168.0.30#51741: recursion available
client 192.168.0.30#51741: update
client 192.168.0.30#51741: update 'example.com/IN' denied
client 192.168.0.30#51741: send
client 192.168.0.30#51741: sendto
client 192.168.0.30#51741: senddone
client 192.168.0.30#51741: next
client 192.168.0.30#51741: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#56281: new TCP connection
client 192.168.0.30#56281: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#56281: read
client 192.168.0.30#56281: TCP request
client 192.168.0.30#56281: using view '_default'
client 192.168.0.30#56281: request is not signed
client 192.168.0.30#56281: recursion available
client 192.168.0.30#56281: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#56281: send
client 192.168.0.30#56281: sendto
client 192.168.0.30#56281: senddone
client 192.168.0.30#56281: next
client 192.168.0.30#56281: endrequest
client 192.168.0.30#56281: read
client @0xb7e30008: accept
client 192.168.0.30#58656: UDP request
client 192.168.0.30#58656: using view '_default'
client 192.168.0.30#58656: request has valid signature
client 192.168.0.30#58656: recursion available
client 192.168.0.30#58656: update
client 192.168.0.30#56281: next
client 192.168.0.30#56281: request failed: end of file
client 192.168.0.30#56281: endrequest
client 192.168.0.30#56281: closetcp
client 192.168.0.30#58656: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.dc._msdcs.example.com' SRV
client 192.168.0.30#58656: send
client 192.168.0.30#58656: sendto
client 192.168.0.30#58656: senddone
client 192.168.0.30#58656: next
client 192.168.0.30#58656: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51068: UDP request
client 192.168.0.30#51068: using view '_default'
client 192.168.0.30#51068: request is not signed
client 192.168.0.30#51068: recursion available
client 192.168.0.30#51068: query
client 192.168.0.30#51068: query '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#51068: send
client 192.168.0.30#51068: sendto
client 192.168.0.30#51068: senddone
client 192.168.0.30#51068: next
client 192.168.0.30#51068: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#54144: UDP request
client 192.168.0.30#54144: using view '_default'
client 192.168.0.30#54144: request is not signed
client 192.168.0.30#54144: recursion available
client 192.168.0.30#54144: query
client 192.168.0.30#54144: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#54144: send
client 192.168.0.30#54144: sendto
client 192.168.0.30#54144: senddone
client 192.168.0.30#54144: next
client 192.168.0.30#54144: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#63509: UDP request
client 192.168.0.30#63509: using view '_default'
client 192.168.0.30#63509: request is not signed
client 192.168.0.30#63509: recursion available
client 192.168.0.30#63509: update
client 192.168.0.30#63509: update 'example.com/IN' denied
client 192.168.0.30#63509: send
client 192.168.0.30#63509: sendto
client 192.168.0.30#63509: senddone
client 192.168.0.30#63509: next
client 192.168.0.30#63509: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58952: new TCP connection
client 192.168.0.30#58952: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#58952: read
client 192.168.0.30#58952: TCP request
client 192.168.0.30#58952: using view '_default'
client 192.168.0.30#58952: request is not signed
client 192.168.0.30#58952: recursion available
client 192.168.0.30#58952: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#58952: send
client 192.168.0.30#58952: sendto
client 192.168.0.30#58952: senddone
client 192.168.0.30#58952: next
client 192.168.0.30#58952: endrequest
client 192.168.0.30#58952: read
client @0xb7f5ab90: accept
client 192.168.0.30#61087: UDP request
client 192.168.0.30#61087: using view '_default'
client 192.168.0.30#61087: request has valid signature
client 192.168.0.30#61087: recursion available
client 192.168.0.30#61087: update
client 192.168.0.30#58952: next
client 192.168.0.30#58952: request failed: end of file
client 192.168.0.30#58952: endrequest
client 192.168.0.30#58952: closetcp
client 192.168.0.30#61087: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com' SRV
client 192.168.0.30#61087: send
client 192.168.0.30#61087: sendto
client 192.168.0.30#61087: senddone
client 192.168.0.30#61087: next
client 192.168.0.30#61087: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#49346: UDP request
client 192.168.0.30#49346: using view '_default'
client 192.168.0.30#49346: request is not signed
client 192.168.0.30#49346: recursion available
client 192.168.0.30#49346: query
client 192.168.0.30#49346: query '_ldap._tcp.gc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#49346: send
client 192.168.0.30#49346: sendto
client 192.168.0.30#49346: senddone
client 192.168.0.30#49346: next
client 192.168.0.30#49346: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#64967: UDP request
client 192.168.0.30#64967: using view '_default'
client 192.168.0.30#64967: request is not signed
client 192.168.0.30#64967: recursion available
client 192.168.0.30#64967: query
client 192.168.0.30#64967: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#64967: send
client 192.168.0.30#64967: sendto
client 192.168.0.30#64967: senddone
client 192.168.0.30#64967: next
client 192.168.0.30#64967: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57091: UDP request
client 192.168.0.30#57091: using view '_default'
client 192.168.0.30#57091: request is not signed
client 192.168.0.30#57091: recursion available
client 192.168.0.30#57091: update
client 192.168.0.30#57091: update 'example.com/IN' denied
client 192.168.0.30#57091: send
client 192.168.0.30#57091: sendto
client 192.168.0.30#57091: senddone
client 192.168.0.30#57091: next
client 192.168.0.30#57091: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#55788: new TCP connection
client 192.168.0.30#55788: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#55788: read
client 192.168.0.30#55788: TCP request
client 192.168.0.30#55788: using view '_default'
client 192.168.0.30#55788: request is not signed
client 192.168.0.30#55788: recursion available
client 192.168.0.30#55788: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#55788: send
client 192.168.0.30#55788: sendto
client 192.168.0.30#55788: senddone
client 192.168.0.30#55788: next
client 192.168.0.30#55788: endrequest
client 192.168.0.30#55788: read
client @0xb7e30008: accept
client 192.168.0.30#56263: UDP request
client 192.168.0.30#56263: using view '_default'
client 192.168.0.30#56263: request has valid signature
client 192.168.0.30#56263: recursion available
client 192.168.0.30#56263: update
client 192.168.0.30#55788: next
client 192.168.0.30#55788: request failed: end of file
client 192.168.0.30#55788: endrequest
client 192.168.0.30#55788: closetcp
client 192.168.0.30#56263: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.gc._msdcs.example.com' SRV
client 192.168.0.30#56263: send
client 192.168.0.30#56263: sendto
client 192.168.0.30#56263: senddone
client 192.168.0.30#56263: next
client 192.168.0.30#56263: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#64176: UDP request
client 192.168.0.30#64176: using view '_default'
client 192.168.0.30#64176: request is not signed
client 192.168.0.30#64176: recursion available
client 192.168.0.30#64176: query
client 192.168.0.30#64176: query '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#64176: send
client 192.168.0.30#64176: sendto
client 192.168.0.30#64176: senddone
client 192.168.0.30#64176: next
client 192.168.0.30#64176: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#55400: UDP request
client 192.168.0.30#55400: using view '_default'
client 192.168.0.30#55400: request is not signed
client 192.168.0.30#55400: recursion available
client 192.168.0.30#55400: query
client 192.168.0.30#55400: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#55400: send
client 192.168.0.30#55400: sendto
client 192.168.0.30#55400: senddone
client 192.168.0.30#55400: next
client 192.168.0.30#55400: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51329: UDP request
client 192.168.0.30#51329: using view '_default'
client 192.168.0.30#51329: request is not signed
client 192.168.0.30#51329: recursion available
client 192.168.0.30#51329: update
client 192.168.0.30#51329: update 'example.com/IN' denied
client 192.168.0.30#51329: send
client 192.168.0.30#51329: sendto
client 192.168.0.30#51329: senddone
client 192.168.0.30#51329: next
client 192.168.0.30#51329: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57980: new TCP connection
client 192.168.0.30#57980: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#57980: read
client 192.168.0.30#57980: TCP request
client 192.168.0.30#57980: using view '_default'
client 192.168.0.30#57980: request is not signed
client 192.168.0.30#57980: recursion available
client 192.168.0.30#57980: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#57980: send
client 192.168.0.30#57980: sendto
client 192.168.0.30#57980: senddone
client 192.168.0.30#57980: next
client 192.168.0.30#57980: endrequest
client 192.168.0.30#57980: read
client @0xb7f5ab90: accept
client 192.168.0.30#58540: UDP request
client 192.168.0.30#58540: using view '_default'
client 192.168.0.30#58540: request has valid signature
client 192.168.0.30#58540: recursion available
client 192.168.0.30#58540: update
client 192.168.0.30#57980: next
client 192.168.0.30#57980: request failed: end of file
client 192.168.0.30#57980: endrequest
client 192.168.0.30#57980: closetcp
client 192.168.0.30#58540: updating zone 'example.com/IN': adding an RR at '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.example.com' SRV
client 192.168.0.30#58540: send
client 192.168.0.30#58540: sendto
client 192.168.0.30#58540: senddone
client 192.168.0.30#58540: next
client 192.168.0.30#58540: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60357: UDP request
client 192.168.0.30#60357: using view '_default'
client 192.168.0.30#60357: request is not signed
client 192.168.0.30#60357: recursion available
client 192.168.0.30#60357: query
client 192.168.0.30#60357: query '_kerberos._tcp.dc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#60357: send
client 192.168.0.30#60357: sendto
client 192.168.0.30#60357: senddone
client 192.168.0.30#60357: next
client 192.168.0.30#60357: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#56702: UDP request
client 192.168.0.30#56702: using view '_default'
client 192.168.0.30#56702: request is not signed
client 192.168.0.30#56702: recursion available
client 192.168.0.30#56702: query
client 192.168.0.30#56702: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#56702: send
client 192.168.0.30#56702: sendto
client 192.168.0.30#56702: senddone
client 192.168.0.30#56702: next
client 192.168.0.30#56702: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#49321: UDP request
client 192.168.0.30#49321: using view '_default'
client 192.168.0.30#49321: request is not signed
client 192.168.0.30#49321: recursion available
client 192.168.0.30#49321: update
client 192.168.0.30#49321: update 'example.com/IN' denied
client 192.168.0.30#49321: send
client 192.168.0.30#49321: sendto
client 192.168.0.30#49321: senddone
client 192.168.0.30#49321: next
client 192.168.0.30#49321: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#59056: new TCP connection
client 192.168.0.30#59056: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#59056: read
client 192.168.0.30#59056: TCP request
client 192.168.0.30#59056: using view '_default'
client 192.168.0.30#59056: request is not signed
client 192.168.0.30#59056: recursion available
client 192.168.0.30#59056: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#59056: send
client 192.168.0.30#59056: sendto
client 192.168.0.30#59056: senddone
client 192.168.0.30#59056: next
client 192.168.0.30#59056: endrequest
client 192.168.0.30#59056: read
client @0xb7e30008: accept
client 192.168.0.30#63680: UDP request
client 192.168.0.30#63680: using view '_default'
client 192.168.0.30#63680: request has valid signature
client 192.168.0.30#63680: recursion available
client 192.168.0.30#63680: update
client 192.168.0.30#59056: next
client 192.168.0.30#59056: request failed: end of file
client 192.168.0.30#59056: endrequest
client 192.168.0.30#59056: closetcp
client 192.168.0.30#63680: updating zone 'example.com/IN': adding an RR at '_kerberos._tcp.dc._msdcs.example.com' SRV
client 192.168.0.30#63680: send
client 192.168.0.30#63680: sendto
client 192.168.0.30#63680: senddone
client 192.168.0.30#63680: next
client 192.168.0.30#63680: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#50518: UDP request
client 192.168.0.30#50518: using view '_default'
client 192.168.0.30#50518: request is not signed
client 192.168.0.30#50518: recursion available
client 192.168.0.30#50518: query
client 192.168.0.30#50518: query '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#50518: send
client 192.168.0.30#50518: sendto
client 192.168.0.30#50518: senddone
client 192.168.0.30#50518: next
client 192.168.0.30#50518: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52930: UDP request
client 192.168.0.30#52930: using view '_default'
client 192.168.0.30#52930: request is not signed
client 192.168.0.30#52930: recursion available
client 192.168.0.30#52930: query
client 192.168.0.30#52930: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#52930: send
client 192.168.0.30#52930: sendto
client 192.168.0.30#52930: senddone
client 192.168.0.30#52930: next
client 192.168.0.30#52930: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#49183: UDP request
client 192.168.0.30#49183: using view '_default'
client 192.168.0.30#49183: request is not signed
client 192.168.0.30#49183: recursion available
client 192.168.0.30#49183: update
client 192.168.0.30#49183: update 'example.com/IN' denied
client 192.168.0.30#49183: send
client 192.168.0.30#49183: sendto
client 192.168.0.30#49183: senddone
client 192.168.0.30#49183: next
client 192.168.0.30#49183: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60296: new TCP connection
client 192.168.0.30#60296: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#60296: read
client 192.168.0.30#60296: TCP request
client 192.168.0.30#60296: using view '_default'
client 192.168.0.30#60296: request is not signed
client 192.168.0.30#60296: recursion available
client 192.168.0.30#60296: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#60296: send
client 192.168.0.30#60296: sendto
client 192.168.0.30#60296: senddone
client 192.168.0.30#60296: next
client 192.168.0.30#60296: endrequest
client 192.168.0.30#60296: read
client @0xb7f5ab90: accept
client 192.168.0.30#50969: UDP request
client 192.168.0.30#50969: using view '_default'
client 192.168.0.30#50969: request has valid signature
client 192.168.0.30#50969: recursion available
client 192.168.0.30#50969: update
client 192.168.0.30#60296: next
client 192.168.0.30#60296: request failed: end of file
client 192.168.0.30#60296: endrequest
client 192.168.0.30#60296: closetcp
client 192.168.0.30#50969: updating zone 'example.com/IN': adding an RR at '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com' SRV
client 192.168.0.30#50969: send
client 192.168.0.30#50969: sendto
client 192.168.0.30#50969: senddone
client 192.168.0.30#50969: next
client 192.168.0.30#50969: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#55008: UDP request
client 192.168.0.30#55008: using view '_default'
client 192.168.0.30#55008: request is not signed
client 192.168.0.30#55008: recursion available
client 192.168.0.30#55008: query
client 192.168.0.30#55008: query '_kerberos._tcp.example.com/SOA/IN' approved
client 192.168.0.30#55008: send
client 192.168.0.30#55008: sendto
client 192.168.0.30#55008: senddone
client 192.168.0.30#55008: next
client 192.168.0.30#55008: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#49481: UDP request
client 192.168.0.30#49481: using view '_default'
client 192.168.0.30#49481: request is not signed
client 192.168.0.30#49481: recursion available
client 192.168.0.30#49481: query
client 192.168.0.30#49481: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#49481: send
client 192.168.0.30#49481: sendto
client 192.168.0.30#49481: senddone
client 192.168.0.30#49481: next
client 192.168.0.30#49481: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51023: UDP request
client 192.168.0.30#51023: using view '_default'
client 192.168.0.30#51023: request is not signed
client 192.168.0.30#51023: recursion available
client 192.168.0.30#51023: update
client 192.168.0.30#51023: update 'example.com/IN' denied
client 192.168.0.30#51023: send
client 192.168.0.30#51023: sendto
client 192.168.0.30#51023: senddone
client 192.168.0.30#51023: next
client 192.168.0.30#51023: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#54133: new TCP connection
client 192.168.0.30#54133: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#54133: read
client 192.168.0.30#54133: TCP request
client 192.168.0.30#54133: using view '_default'
client 192.168.0.30#54133: request is not signed
client 192.168.0.30#54133: recursion available
client 192.168.0.30#54133: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#54133: send
client 192.168.0.30#54133: sendto
client 192.168.0.30#54133: senddone
client 192.168.0.30#54133: next
client 192.168.0.30#54133: endrequest
client 192.168.0.30#54133: read
client @0xb7e30008: accept
client 192.168.0.30#52484: UDP request
client 192.168.0.30#52484: using view '_default'
client 192.168.0.30#52484: request has valid signature
client 192.168.0.30#52484: recursion available
client 192.168.0.30#52484: update
client 192.168.0.30#54133: next
client 192.168.0.30#54133: request failed: end of file
client 192.168.0.30#54133: endrequest
client 192.168.0.30#54133: closetcp
client 192.168.0.30#52484: updating zone 'example.com/IN': adding an RR at '_kerberos._tcp.example.com' SRV
client 192.168.0.30#52484: send
client 192.168.0.30#52484: sendto
client 192.168.0.30#52484: senddone
client 192.168.0.30#52484: next
client 192.168.0.30#52484: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58261: UDP request
client 192.168.0.30#58261: using view '_default'
client 192.168.0.30#58261: request is not signed
client 192.168.0.30#58261: recursion available
client 192.168.0.30#58261: query
client 192.168.0.30#58261: query '_kerberos._tcp.Default-First-Site-Name._sites.example.com/SOA/IN' approved
client 192.168.0.30#58261: send
client 192.168.0.30#58261: sendto
client 192.168.0.30#58261: senddone
client 192.168.0.30#58261: next
client 192.168.0.30#58261: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57115: UDP request
client 192.168.0.30#57115: using view '_default'
client 192.168.0.30#57115: request is not signed
client 192.168.0.30#57115: recursion available
client 192.168.0.30#57115: query
client 192.168.0.30#57115: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#57115: send
client 192.168.0.30#57115: sendto
client 192.168.0.30#57115: senddone
client 192.168.0.30#57115: next
client 192.168.0.30#57115: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#54992: UDP request
client 192.168.0.30#54992: using view '_default'
client 192.168.0.30#54992: request is not signed
client 192.168.0.30#54992: recursion available
client 192.168.0.30#54992: update
client 192.168.0.30#54992: update 'example.com/IN' denied
client 192.168.0.30#54992: send
client 192.168.0.30#54992: sendto
client 192.168.0.30#54992: senddone
client 192.168.0.30#54992: next
client 192.168.0.30#54992: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#50695: new TCP connection
client 192.168.0.30#50695: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#50695: read
client 192.168.0.30#50695: TCP request
client 192.168.0.30#50695: using view '_default'
client 192.168.0.30#50695: request is not signed
client 192.168.0.30#50695: recursion available
client 192.168.0.30#50695: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#50695: send
client 192.168.0.30#50695: sendto
client 192.168.0.30#50695: senddone
client 192.168.0.30#50695: next
client 192.168.0.30#50695: endrequest
client 192.168.0.30#50695: read
client @0xb7f5ab90: accept
client 192.168.0.30#50759: UDP request
client 192.168.0.30#50759: using view '_default'
client 192.168.0.30#50759: request has valid signature
client 192.168.0.30#50759: recursion available
client 192.168.0.30#50759: update
client 192.168.0.30#50695: next
client 192.168.0.30#50695: request failed: end of file
client 192.168.0.30#50695: endrequest
client 192.168.0.30#50695: closetcp
client 192.168.0.30#50759: updating zone 'example.com/IN': adding an RR at '_kerberos._tcp.Default-First-Site-Name._sites.example.com' SRV
client 192.168.0.30#50759: send
client 192.168.0.30#50759: sendto
client 192.168.0.30#50759: senddone
client 192.168.0.30#50759: next
client 192.168.0.30#50759: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#63524: UDP request
client 192.168.0.30#63524: using view '_default'
client 192.168.0.30#63524: request is not signed
client 192.168.0.30#63524: recursion available
client 192.168.0.30#63524: query
client 192.168.0.30#63524: query '_gc._tcp.example.com/SOA/IN' approved
client 192.168.0.30#63524: send
client 192.168.0.30#63524: sendto
client 192.168.0.30#63524: senddone
client 192.168.0.30#63524: next
client 192.168.0.30#63524: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51741: UDP request
client 192.168.0.30#51741: using view '_default'
client 192.168.0.30#51741: request is not signed
client 192.168.0.30#51741: recursion available
client 192.168.0.30#51741: query
client 192.168.0.30#51741: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#51741: send
client 192.168.0.30#51741: sendto
client 192.168.0.30#51741: senddone
client 192.168.0.30#51741: next
client 192.168.0.30#51741: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52959: UDP request
client 192.168.0.30#52959: using view '_default'
client 192.168.0.30#52959: request is not signed
client 192.168.0.30#52959: recursion available
client 192.168.0.30#52959: update
client 192.168.0.30#52959: update 'example.com/IN' denied
client 192.168.0.30#52959: send
client 192.168.0.30#52959: sendto
client 192.168.0.30#52959: senddone
client 192.168.0.30#52959: next
client 192.168.0.30#52959: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#62561: new TCP connection
client 192.168.0.30#62561: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#62561: read
client 192.168.0.30#62561: TCP request
client 192.168.0.30#62561: using view '_default'
client 192.168.0.30#62561: request is not signed
client 192.168.0.30#62561: recursion available
client 192.168.0.30#62561: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#62561: send
client 192.168.0.30#62561: sendto
client 192.168.0.30#62561: senddone
client 192.168.0.30#62561: next
client 192.168.0.30#62561: endrequest
client 192.168.0.30#62561: read
client @0xb7e30008: accept
client 192.168.0.30#60931: UDP request
client 192.168.0.30#60931: using view '_default'
client 192.168.0.30#60931: request has valid signature
client 192.168.0.30#60931: recursion available
client 192.168.0.30#60931: update
client 192.168.0.30#62561: next
client 192.168.0.30#62561: request failed: end of file
client 192.168.0.30#62561: endrequest
client 192.168.0.30#62561: closetcp
client 192.168.0.30#60931: updating zone 'example.com/IN': adding an RR at '_gc._tcp.example.com' SRV
client 192.168.0.30#60931: send
client 192.168.0.30#60931: sendto
client 192.168.0.30#60931: senddone
client 192.168.0.30#60931: next
client 192.168.0.30#60931: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#62244: UDP request
client 192.168.0.30#62244: using view '_default'
client 192.168.0.30#62244: request is not signed
client 192.168.0.30#62244: recursion available
client 192.168.0.30#62244: query
client 192.168.0.30#62244: query '_gc._tcp.Default-First-Site-Name._sites.example.com/SOA/IN' approved
client 192.168.0.30#62244: send
client 192.168.0.30#62244: sendto
client 192.168.0.30#62244: senddone
client 192.168.0.30#62244: next
client 192.168.0.30#62244: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#49793: UDP request
client 192.168.0.30#49793: using view '_default'
client 192.168.0.30#49793: request is not signed
client 192.168.0.30#49793: recursion available
client 192.168.0.30#49793: query
client 192.168.0.30#49793: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#49793: send
client 192.168.0.30#49793: sendto
client 192.168.0.30#49793: senddone
client 192.168.0.30#49793: next
client 192.168.0.30#49793: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#60990: UDP request
client 192.168.0.30#60990: using view '_default'
client 192.168.0.30#60990: request is not signed
client 192.168.0.30#60990: recursion available
client 192.168.0.30#60990: update
client 192.168.0.30#60990: update 'example.com/IN' denied
client 192.168.0.30#60990: send
client 192.168.0.30#60990: sendto
client 192.168.0.30#60990: senddone
client 192.168.0.30#60990: next
client 192.168.0.30#60990: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#64919: new TCP connection
client 192.168.0.30#64919: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#64919: read
client 192.168.0.30#64919: TCP request
client 192.168.0.30#64919: using view '_default'
client 192.168.0.30#64919: request is not signed
client 192.168.0.30#64919: recursion available
client 192.168.0.30#64919: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#64919: send
client 192.168.0.30#64919: sendto
client 192.168.0.30#64919: senddone
client 192.168.0.30#64919: next
client 192.168.0.30#64919: endrequest
client 192.168.0.30#64919: read
client @0xb7f5ab90: accept
client 192.168.0.30#51026: UDP request
client 192.168.0.30#51026: using view '_default'
client 192.168.0.30#51026: request has valid signature
client 192.168.0.30#51026: recursion available
client 192.168.0.30#51026: update
client 192.168.0.30#64919: next
client 192.168.0.30#64919: request failed: end of file
client 192.168.0.30#64919: endrequest
client 192.168.0.30#64919: closetcp
client 192.168.0.30#51026: updating zone 'example.com/IN': adding an RR at '_gc._tcp.Default-First-Site-Name._sites.example.com' SRV
client 192.168.0.30#51026: send
client 192.168.0.30#51026: sendto
client 192.168.0.30#51026: senddone
client 192.168.0.30#51026: next
client 192.168.0.30#51026: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52942: UDP request
client 192.168.0.30#52942: using view '_default'
client 192.168.0.30#52942: request is not signed
client 192.168.0.30#52942: recursion available
client 192.168.0.30#52942: query
client 192.168.0.30#52942: query '_kerberos._udp.example.com/SOA/IN' approved
client 192.168.0.30#52942: send
client 192.168.0.30#52942: sendto
client 192.168.0.30#52942: senddone
client 192.168.0.30#52942: next
client 192.168.0.30#52942: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#56939: UDP request
client 192.168.0.30#56939: using view '_default'
client 192.168.0.30#56939: request is not signed
client 192.168.0.30#56939: recursion available
client 192.168.0.30#56939: query
client 192.168.0.30#56939: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#56939: send
client 192.168.0.30#56939: sendto
client 192.168.0.30#56939: senddone
client 192.168.0.30#56939: next
client 192.168.0.30#56939: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52086: UDP request
client 192.168.0.30#52086: using view '_default'
client 192.168.0.30#52086: request is not signed
client 192.168.0.30#52086: recursion available
client 192.168.0.30#52086: update
client 192.168.0.30#52086: update 'example.com/IN' denied
client 192.168.0.30#52086: send
client 192.168.0.30#52086: sendto
client 192.168.0.30#52086: senddone
client 192.168.0.30#52086: next
client 192.168.0.30#52086: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#65347: new TCP connection
client 192.168.0.30#65347: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#65347: read
client 192.168.0.30#65347: TCP request
client 192.168.0.30#65347: using view '_default'
client 192.168.0.30#65347: request is not signed
client 192.168.0.30#65347: recursion available
client 192.168.0.30#65347: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#65347: send
client 192.168.0.30#65347: sendto
client 192.168.0.30#65347: senddone
client 192.168.0.30#65347: next
client 192.168.0.30#65347: endrequest
client 192.168.0.30#65347: read
client @0xb7e30008: accept
client 192.168.0.30#58046: UDP request
client 192.168.0.30#58046: using view '_default'
client 192.168.0.30#58046: request has valid signature
client 192.168.0.30#58046: recursion available
client 192.168.0.30#58046: update
client 192.168.0.30#65347: next
client 192.168.0.30#65347: request failed: end of file
client 192.168.0.30#65347: endrequest
client 192.168.0.30#65347: closetcp
client 192.168.0.30#58046: updating zone 'example.com/IN': adding an RR at '_kerberos._udp.example.com' SRV
client 192.168.0.30#58046: send
client 192.168.0.30#58046: sendto
client 192.168.0.30#58046: senddone
client 192.168.0.30#58046: next
client 192.168.0.30#58046: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#53965: UDP request
client 192.168.0.30#53965: using view '_default'
client 192.168.0.30#53965: request is not signed
client 192.168.0.30#53965: recursion available
client 192.168.0.30#53965: query
client 192.168.0.30#53965: query '_kpasswd._tcp.example.com/SOA/IN' approved
client 192.168.0.30#53965: send
client 192.168.0.30#53965: sendto
client 192.168.0.30#53965: senddone
client 192.168.0.30#53965: next
client 192.168.0.30#53965: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51192: UDP request
client 192.168.0.30#51192: using view '_default'
client 192.168.0.30#51192: request is not signed
client 192.168.0.30#51192: recursion available
client 192.168.0.30#51192: query
client 192.168.0.30#51192: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#51192: send
client 192.168.0.30#51192: sendto
client 192.168.0.30#51192: senddone
client 192.168.0.30#51192: next
client 192.168.0.30#51192: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#51427: UDP request
client 192.168.0.30#51427: using view '_default'
client 192.168.0.30#51427: request is not signed
client 192.168.0.30#51427: recursion available
client 192.168.0.30#51427: update
client 192.168.0.30#51427: update 'example.com/IN' denied
client 192.168.0.30#51427: send
client 192.168.0.30#51427: sendto
client 192.168.0.30#51427: senddone
client 192.168.0.30#51427: next
client 192.168.0.30#51427: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#56500: new TCP connection
client 192.168.0.30#56500: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#56500: read
client 192.168.0.30#56500: TCP request
client 192.168.0.30#56500: using view '_default'
client 192.168.0.30#56500: request is not signed
client 192.168.0.30#56500: recursion available
client 192.168.0.30#56500: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#56500: send
client 192.168.0.30#56500: sendto
client 192.168.0.30#56500: senddone
client 192.168.0.30#56500: next
client 192.168.0.30#56500: endrequest
client 192.168.0.30#56500: read
client @0xb7f5ab90: accept
client 192.168.0.30#55801: UDP request
client 192.168.0.30#55801: using view '_default'
client 192.168.0.30#55801: request has valid signature
client 192.168.0.30#55801: recursion available
client 192.168.0.30#55801: update
client 192.168.0.30#56500: next
client 192.168.0.30#56500: request failed: end of file
client 192.168.0.30#56500: endrequest
client 192.168.0.30#56500: closetcp
client 192.168.0.30#55801: updating zone 'example.com/IN': adding an RR at '_kpasswd._tcp.example.com' SRV
client 192.168.0.30#55801: send
client 192.168.0.30#55801: sendto
client 192.168.0.30#55801: senddone
client 192.168.0.30#55801: next
client 192.168.0.30#55801: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#57513: UDP request
client 192.168.0.30#57513: using view '_default'
client 192.168.0.30#57513: request is not signed
client 192.168.0.30#57513: recursion available
client 192.168.0.30#57513: query
client 192.168.0.30#57513: query '_kpasswd._udp.example.com/SOA/IN' approved
client 192.168.0.30#57513: send
client 192.168.0.30#57513: sendto
client 192.168.0.30#57513: senddone
client 192.168.0.30#57513: next
client 192.168.0.30#57513: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52595: UDP request
client 192.168.0.30#52595: using view '_default'
client 192.168.0.30#52595: request is not signed
client 192.168.0.30#52595: recursion available
client 192.168.0.30#52595: query
client 192.168.0.30#52595: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#52595: send
client 192.168.0.30#52595: sendto
client 192.168.0.30#52595: senddone
client 192.168.0.30#52595: next
client 192.168.0.30#52595: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#63038: UDP request
client 192.168.0.30#63038: using view '_default'
client 192.168.0.30#63038: request is not signed
client 192.168.0.30#63038: recursion available
client 192.168.0.30#63038: update
client 192.168.0.30#63038: update 'example.com/IN' denied
client 192.168.0.30#63038: send
client 192.168.0.30#63038: sendto
client 192.168.0.30#63038: senddone
client 192.168.0.30#63038: next
client 192.168.0.30#63038: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#59935: new TCP connection
client 192.168.0.30#59935: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#59935: read
client 192.168.0.30#59935: TCP request
client 192.168.0.30#59935: using view '_default'
client 192.168.0.30#59935: request is not signed
client 192.168.0.30#59935: recursion available
client 192.168.0.30#59935: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#59935: send
client 192.168.0.30#59935: sendto
client 192.168.0.30#59935: senddone
client 192.168.0.30#59935: next
client 192.168.0.30#59935: endrequest
client 192.168.0.30#59935: read
client @0xb7e30008: accept
client 192.168.0.30#59935: next
client 192.168.0.30#59935: request failed: end of file
client 192.168.0.30#59935: endrequest
client 192.168.0.30#59935: closetcp
client 192.168.0.30#63066: UDP request
client 192.168.0.30#63066: using view '_default'
client 192.168.0.30#63066: request has valid signature
client 192.168.0.30#63066: recursion available
client 192.168.0.30#63066: update
client 192.168.0.30#63066: updating zone 'example.com/IN': adding an RR at '_kpasswd._udp.example.com' SRV
client 192.168.0.30#63066: send
client 192.168.0.30#63066: sendto
client 192.168.0.30#63066: senddone
client 192.168.0.30#63066: next
client 192.168.0.30#63066: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#52553: UDP request
client 192.168.0.30#52553: using view '_default'
client 192.168.0.30#52553: request is not signed
client 192.168.0.30#52553: recursion available
client 192.168.0.30#52553: query
client 192.168.0.30#52553: query 'gc._msdcs.example.com/SOA/IN' approved
client 192.168.0.30#52553: send
client 192.168.0.30#52553: sendto
client 192.168.0.30#52553: senddone
client 192.168.0.30#52553: next
client 192.168.0.30#52553: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#61160: UDP request
client 192.168.0.30#61160: using view '_default'
client 192.168.0.30#61160: request is not signed
client 192.168.0.30#61160: recursion available
client 192.168.0.30#61160: query
client 192.168.0.30#61160: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#61160: send
client 192.168.0.30#61160: sendto
client 192.168.0.30#61160: senddone
client 192.168.0.30#61160: next
client 192.168.0.30#61160: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58777: UDP request
client 192.168.0.30#58777: using view '_default'
client 192.168.0.30#58777: request is not signed
client 192.168.0.30#58777: recursion available
client 192.168.0.30#58777: update
client 192.168.0.30#58777: update 'example.com/IN' denied
client 192.168.0.30#58777: send
client 192.168.0.30#58777: sendto
client 192.168.0.30#58777: senddone
client 192.168.0.30#58777: next
client 192.168.0.30#58777: endrequest
client @0xb7f5a7b8: udprecv
client 192.168.0.30#58165: new TCP connection
client 192.168.0.30#58165: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#58165: read
client 192.168.0.30#58165: TCP request
client 192.168.0.30#58165: using view '_default'
client 192.168.0.30#58165: request is not signed
client 192.168.0.30#58165: recursion available
client 192.168.0.30#58165: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967080
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#58165: send
client 192.168.0.30#58165: sendto
client 192.168.0.30#58165: senddone
client 192.168.0.30#58165: next
client 192.168.0.30#58165: endrequest
client 192.168.0.30#58165: read
client @0xb7f5ab90: accept
client 192.168.0.30#51089: UDP request
client 192.168.0.30#51089: using view '_default'
client 192.168.0.30#51089: request has valid signature
client 192.168.0.30#51089: recursion available
client 192.168.0.30#51089: update
client 192.168.0.30#58165: next
client 192.168.0.30#58165: request failed: end of file
client 192.168.0.30#58165: endrequest
client 192.168.0.30#58165: closetcp
client 192.168.0.30#51089: updating zone 'example.com/IN': adding an RR at 'gc._msdcs.example.com' A
client 192.168.0.30#51089: send
client 192.168.0.30#51089: sendto
client 192.168.0.30#51089: senddone
client 192.168.0.30#51089: next
client 192.168.0.30#51089: endrequest
client @0xb7e30008: udprecv
client 192.168.0.30#53609: new TCP connection
client 192.168.0.30#53609: replace
clientmgr @0xb7f29548: createclients
clientmgr @0xb7f29548: recycle
client 192.168.0.30#53609: read
client 192.168.0.30#53609: TCP request
client 192.168.0.30#53609: using view '_default'
client 192.168.0.30#53609: request is not signed
client 192.168.0.30#53609: recursion available
client 192.168.0.30#53609: query
gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294966489
gss-api source name (accept) is DC1$@EXAMPLE.COM
process_gsstkey(): dns_tsigerror_noerror
client 192.168.0.30#53609: send
client 192.168.0.30#53609: sendto
client 192.168.0.30#53609: senddone
client 192.168.0.30#53609: next
client 192.168.0.30#53609: endrequest
client 192.168.0.30#53609: read
client @0xb7f5a7b8: accept
client 192.168.0.30#58261: UDP request
client 192.168.0.30#58261: using view '_default'
client 192.168.0.30#58261: request has valid signature
client 192.168.0.30#58261: recursion available
client 192.168.0.30#58261: update
client 192.168.0.30#53609: next
client 192.168.0.30#53609: request failed: end of file
client 192.168.0.30#53609: endrequest
client 192.168.0.30#53609: closetcp
client 192.168.0.30#58261: updating zone 'example.com/IN': deleting rrset at 'dc1.example.com' AAAA
client 192.168.0.30#58261: updating zone 'example.com/IN': deleting rrset at 'dc1.example.com' A
client 192.168.0.30#58261: updating zone 'example.com/IN': adding an RR at 'dc1.example.com' A
client 192.168.0.30#58261: send
client 192.168.0.30#58261: sendto
client 192.168.0.30#58261: senddone
client 192.168.0.30#58261: next
client 192.168.0.30#58261: endrequest
client @0xb7e30008: udprecv
client 192.168.0.30#53678: UDP request
client 192.168.0.30#53678: using view '_default'
client 192.168.0.30#53678: request is not signed
client 192.168.0.30#53678: recursion available
client 192.168.0.30#53678: query
client 192.168.0.30#53678: query '30.0.168.192.in-addr.arpa/SOA/IN' approved
client 192.168.0.30#53678: send
client 192.168.0.30#53678: sendto
client 192.168.0.30#53678: senddone
client 192.168.0.30#53678: next
client 192.168.0.30#53678: endrequest
client @0xb7e30008: udprecv
client 192.168.0.30#60819: UDP request
client 192.168.0.30#60819: using view '_default'
client 192.168.0.30#60819: request is not signed
client 192.168.0.30#60819: recursion available
client 192.168.0.30#60819: query
client 192.168.0.30#60819: query 'dns1.example.com/A/IN' approved
client 192.168.0.30#60819: send
client 192.168.0.30#60819: sendto
client 192.168.0.30#60819: senddone
client 192.168.0.30#60819: next
client 192.168.0.30#60819: endrequest
client @0xb7e30008: udprecv
client 192.168.0.30#61061: UDP request
client 192.168.0.30#61061: using view '_default'
client 192.168.0.30#61061: request is not signed
client 192.168.0.30#61061: recursion available
client 192.168.0.30#61061: update
client 192.168.0.30#61061: update '168.192.in-addr.arpa/IN' denied
client 192.168.0.30#61061: send
client 192.168.0.30#61061: sendto
client 192.168.0.30#61061: senddone
client 192.168.0.30#61061: next
client 192.168.0.30#61061: endrequest
client @0xb7e30008: udprecv
client 192.168.0.30#50648: UDP request
client 192.168.0.30#50648: using view '_default'
client 192.168.0.30#50648: request has valid signature
client 192.168.0.30#50648: recursion available
client 192.168.0.30#50648: update
client 192.168.0.30#50648: updating zone '168.192.in-addr.arpa/IN': deleting rrset at '30.0.168.192.in-addr.arpa' PTR
client 192.168.0.30#50648: updating zone '168.192.in-addr.arpa/IN': adding an RR at '30.0.168.192.in-addr.arpa' PTR
client 192.168.0.30#50648: send
client 192.168.0.30#50648: sendto
client 192.168.0.30#50648: senddone
client 192.168.0.30#50648: next
client 192.168.0.30#50648: endrequest
client @0xb7e30008: udprecv


This is the first part of a two (2) article series on GSS-TSIG Updates using ISC Bind.  Part 2 - will cover some of the "gotchas", exceptions, and provide some additional recipes for a more secure update-policy usage.

Next Post Previous Post