I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.
For example - using nsupdate
- I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?
cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF
nsupdate -g dns-update
Above works and ends with status: NOERROR
.
Now what I want to do is to create nested record accessible through wildcard *
and A name / CNAME.
In the above example if I replace hostname.foo.bar.example
to *.hostname.foo.bar.example
nsupdate will fail with status: REFUSED
. Same happens if I escape asterisk as in \*
.
$ nsupdate -g scripts/dns-update
; TSIG error with server: tsig verify failure
update failed: REFUSED
and with additional debug info
$ nsupdate -g -D -L 3 scripts/dns-update
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0
24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...
Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager
Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate
.