-1

I am working with Microsoft DNS server in corporate environment. I do not have direct access to it, but I can add records remotely.

For example - using nsupdate - I can add new A / CNAME type record as in this question from Unix&Linux how to update Records using nsupdate?

cat <<EOF > dns-update
server bar.example
zone foo.bar.example
update add hostname.foo.bar.example 86400 A 192.0.2.1
send
EOF

nsupdate -g dns-update

Above works and ends with status: NOERROR.

Now what I want to do is to create nested record accessible through wildcard * and A name / CNAME.

In the above example if I replace hostname.foo.bar.example to *.hostname.foo.bar.example nsupdate will fail with status: REFUSED. Same happens if I escape asterisk as in \*.

$ nsupdate -g scripts/dns-update 
; TSIG error with server: tsig verify failure
update failed: REFUSED

and with additional debug info 

$ nsupdate -g -D -L 3 scripts/dns-update 
...
;; TSIG PSEUDOSECTION:
588089969.sig-bar.example. 0 ANY TSIG   gss-tsig. 1556099609 300 28 BAQE//////8AAAAAKy03Mk/Ul7AQ***== 51403 NOERROR 0 

24-Apr-2019 11:53:29.924 dns_request_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 req_destroy: request 0x7fb2c6eef180
24-Apr-2019 11:53:29.924 requestmgr_detach: 0x7fb2c6ee7010: eref 1 iref 1
Out of recvgss
24-Apr-2019 11:53:29.961 req_connected: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_send: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.961 req_senddone: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_response: request 0x7fb2c6eef010: success
24-Apr-2019 11:53:29.999 req_cancel: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 req_sendevent: request 0x7fb2c6eef010
update_completed()
24-Apr-2019 11:53:29.999 dns_request_getresponse: request 0x7fb2c6eef010
24-Apr-2019 11:53:29.999 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction.
24-Apr-2019 11:53:29.999 tsig key '588089969.sig-bar.example' (<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
...

Interestingly - when I use Windows DNS Manager to do the same thing it works without any problem. See screenshot - DNS Manager

Unfortunately that is GUI solution that I 1) can't automate 2) am running most of the infrastucture on Linux. Because of that, I am trying to achieve the same with nsupdate.

Majus Misiak
  • 103
  • 1
  • 5
  • 1
    Welcome to ServerFault. What have you tried? Based on my understanding, `update add hostname1.baz.foo.example.com 86400 A 10.10.10.2` and `update add \*.hostname2.baz.foo.example.com 86400 A 10.10.10.3` should work. – Doug Deden Apr 23 '19 at 19:46
  • 1
    If you just need new records (A/CNAME) you do not need to create a "domain", that is no delegations with NS Records and so on. You just add records in your zone, even if they are "deeper" below. So what did you try? – Patrick Mevzek Apr 23 '19 at 23:50
  • @DougDeden indeed it seems to be simple solution for nesting. But still I run into the problem with adding wildcard record. I have rewritten original question to address real problem that I have (I feel that original question was not ery useful for other people). – Majus Misiak Apr 24 '19 at 10:38

1 Answers1

0

As a workaround, I have tried to install PowerShell (PSVersion 6.2.0) on Linux (CentOS 7) and use the Add-DnsServerResourceRecordCName cmdlet (that enable to configure wildcard DNS record).

Unfortunately, Add-DnsServerResourceRecordCName command is not available on that version. This workaround does not work.

Yohan
  • 16
  • Hi Yohan, welcome to serverfault. While you have a useful contribution, it does not answer the question directly. You can add this information as a comment to the original question and remove this answer. That way, people will still see this question as "unanswered" and may be more inclined to chime in with their solutions. – hayalci May 03 '19 at 15:08
  • @Yohan Thanks! I have tried both `Add-DnsServerResourceRecordA` and `Add-DnsServerResourceRecordCName` and there work properly on Windows side. On Linux distribution of PowerShell this _cmdlet_ is not available. This does really well to solve the original problem (automation of adding new DNS). Unfortunately, it does not explain why same thing can't be achieved from Linux client when `gss-tsig` is enabled. – Majus Misiak May 07 '19 at 10:54