We are using a DHCP Server that is sending secure (GSS-TSIG based) dynamic updates to Microsoft DNS.
After successful TKEY negotiation, the dynamic updates are accepted/success.
Established context is valid for more than 10hours in client side(Based on InitializeSecurityContext output parameter ptsExpiry
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375507%28v=vs.85%29.aspx)
But, when we try to use the same TKEY name ( the established context is not expired) we are getting "Query Refused error" after some time say 8-10 minutes. Is there any transaction timeout after which client should not reuse the TKEY
context established ? Whether Microsoft DNS supports TKEY RR with mode 5 ( Delete Security Context/ Key Deletion ) so that client will delete and establish a new context for further DNS updates. Also why BADNAME/BADKEY error is not returned while refusing
the updates?
As per the RFC 3645,
<RFC snip>
4.2.1. Terminating a Context A server can terminate any established context at any time. The server MAY hint to the client that the context is being deleted by including a TKEY RR in a response with the Mode field set to 5, i.e., "key deletion" [RFC2930]. An active context is deleted by calling GSS_Delete_sec_context providing the associated context_handle.
</RFC Snip>
1. Configured Forward Zone aswin.com
2. Not configured Reverse Zone, so that reverse updates get NOT AUTH ( just to test error case )
3. TKEY negotiation is successful.
4. Sent 2 updates say at 19:52 one forward and reverse updates. Forward update is success, Reverse update failed due to reverse zone not configured, which is expected.
5. Sent 2 updates say at 19:55 using the previously established key, Forward update is success, Reverse update failed due to reverse zone not configured, which is expected.
6. Sent 2 updates say at 20:01(approximately after 5 minutes), Forward Dynamic update failed with Query Refused. Until new TKEY negotiation is done all updates are failed with Query Refused. Why the same key could not be used for 10 hours(based on Initialize security context output value). Is there any way to find how long key can be reused ?
Statisctics details from Microsoft DNS
----------------------------------------------------
dnscmd localhost /statistics 00000100
DNS Server localhost statistics:
Packet Dynamic Update:
--------------------------
Updates Received = 2
Forwarded = 0
Empty (PreCon Only) = 0
NoOps (Dups) = 0
Rejected = 1
Completed = 1
Timed Out = 0
In Queue = 0
Updates Rejected = 1
FormError = 0
NameError = 0
NotImpl = 0 (Non-Update Zone)
Refused = 0
NonSecure Packet = 0
AccessDenied = 0
YxDomain = 0
YxRRSet = 0
NxRRSet = 0
NotAuth = 1
NotZone = 0
Queue
Queued = 1
Retried = 0
Timeout = 0
In Queue = 0
Secure Update
Success = 1
Continue = 0
Failure = 0
DS Write Failure = 0
Update Forwarding
Forwards = 0
TCP Forwards = 0
Responses = 0
Timed Out = 0
In Queue = 0
Update Types:
ZERO = 0
A = 0
NS = 0
CNAME = 0
SOA = 0
MB = 0
MG = 0
MR = 0
NULL = 0
WKS = 0
PTR = 0
HINFO = 0
MINFO = 0
MX = 0
TXT = 0
RP = 0
AFSDB = 0
X25 = 0
ISDN = 0
RT = 0
NSAP = 0
NSAPPTR = 0
SIG = 0
KEY = 0
PX = 0
GPOS = 0
AAAA = 0
LOC = 0
NXT = 0
EID = 0
NIMLOC = 0
SRV = 0
ATMA = 0
NAPTR = 0
KX = 0
CERT = 0
A6 = 0
Unknown = 0
Mixed = 1
Command completed successfully.
------
dnscmd localhost /statistics 00000100
DNS Server localhost statistics:
Packet Dynamic Update:
--------------------------
Updates Received = 31
Forwarded = 0
Empty (PreCon Only) = 0
NoOps (Dups) = 24
Rejected = 3
Completed = 4
Timed Out = 0
In Queue = 0
Updates Rejected = 3
FormError = 0
NameError = 0
NotImpl = 0 (Non-Update Zone)
Refused = 1
NonSecure Packet = 0
AccessDenied = 0
YxDomain = 0
YxRRSet = 0
NxRRSet = 0
NotAuth = 2
NotZone = 0
Queue
Queued = 29
Retried = 0
Timeout = 0
In Queue = 0
Secure Update
Success = 2
Continue = 0
Failure = 1
DS Write Failure = 0
Update Forwarding
Forwards = 0
TCP Forwards = 0
Responses = 0
Timed Out = 0
In Queue = 0
Update Types:
ZERO = 0
A = 4
NS = 0
CNAME = 1
SOA = 0
MB = 0
MG = 0
MR = 0
NULL = 0
WKS = 0
PTR = 0
HINFO = 0
MINFO = 0
MX = 0
TXT = 0
RP = 0
AFSDB = 0
X25 = 0
ISDN = 0
RT = 0
NSAP = 0
NSAPPTR = 0
SIG = 0
KEY = 0
PX = 0
GPOS = 0
AAAA = 0
LOC = 0
NXT = 0
EID = 0
NIMLOC = 0
SRV = 21
ATMA = 0
NAPTR = 0
KX = 0
CERT = 0
A6 = 0
Unknown = 0
Mixed = 3
Command completed successfully.
C:\Users\Administrator>
-Thanks,