Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create a DNS ns-record set on a Windows Active Directory Server #318

Open
1 task done
nicokauffmann opened this issue Jun 26, 2023 · 3 comments
Open
1 task done

Unable to create a DNS ns-record set on a Windows Active Directory Server #318

nicokauffmann opened this issue Jun 26, 2023 · 3 comments
Labels
bug

Comments

@nicokauffmann
Copy link

Terraform CLI and Provider Versions

Terraform v1.5.0
on linux_amd64

  • provider registry.terraform.io/hashicorp/dns v3.3.2

Terraform Configuration

terraform {
  required_providers {
    dns = {
      source = "hashicorp/dns"
      version = "3.3.2"
    }
  }
}

provider "dns" {
  update {
    server = "dc01.example.com"
    transport = "tcp"
    gssapi {
      realm = "EXAMPLE.COM"
      username = "domain-user"
      password = "domain-password"
      #keytab = "tf_dns_change.keytab"
    }
  }
}

data "dns_ns_record_set" "test-info" {
  host = "info.aws.example.com"
}

output "test-info" {
  value = join(", ", data.dns_ns_record_set.test-info.nameservers)
}

resource "dns_ns_record_set" "test-dev" {
  zone = "example.com."
  name = "dev.aws"
  nameservers = [
    "ns-xxx.co.uk.",
    "ns-xxx.net.",
    "ns-xxx.org.",
    "ns-xxx.com.",
  ]
  ttl = 300
}

Expected Behavior

I was testing the the GSS-TSIG support in the DNS provider. Tried to create a ns-record set in a sub name zone against a Windows Active Directory server.

Actual Behavior

getting provider data ns- record source is working, while setting up a new provider resource ns-record is not working

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

High

Logs

https://gist.github.com/nicokauffmann/49cf5ffb2f67554cc20105f3ce9fb19d

Additional Information

Already checked:

  • disabled Nonsecure dynamic updates for the managed hosted zone. Kept Secured only.
  • ensured the user has Create all child permissions in the managed hosted zone.
  • new ns delegation related name servers are working
  • new delegation can be setup manually by using the same user credentials

With the same provider setup, creating/destroying an a-record is working like a charm in the needed sub name zone.

Code of Conduct

  • I agree to follow this project's Code of Conduct
@bendbennett
Copy link
Contributor

Hi @nicokauffmann 👋

Sorry you ran into trouble here. We will need to triage this issue to investigate the underlying cause. Our team's focus is currently elsewhere at the moment, but we will monitor the issue and adjust the priority based on the level of community interest.

Historically, these sorts of issues have tended to be related to environment configuration. Unfortunately, we cannot document every possible nuance of Windows DNS server setups so we have to rely on troubleshooting with a reproduction environment.

A previous issue, Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator, walks through some older triage steps that could be attempted, although it looks like you may have tried some of these steps already.

It may also be worth double checking there are no resource records with the same exact name, one thing they may want to look at is whether the prior zone aws.example.com has its own NS. Windows DNS is quite picky about every level having a proper subdomain delegated. It may also be worth checking the Windows logs.

@nicokauffmann
Copy link
Author

Hi @bendbennett 👋
Thx for letting me know and for tipps worth to check.

"...resource records with the same exact name..."
Our sub zone "aws.example.com" (masked) has only five ns records listed. I'm pretty sure the new requested resource doesn't exist. Anyway, I tried also to setup the new ns record with quite unique name to be sure there is no other resource in the whole domain with a similar name. same error.

Looks like other people have still the same problems to create a ns record where setting up an a record is working like a charm.
#141 (comment)

By the way, we are running another separated domain on another windows dns setup where I run in the same kind of error.
Both Windows Server Setups are running on different Windows Server versions.

Happy to hear from you guys.

@Gildus
Copy link

Gildus commented Oct 4, 2023
edited
Loading

Hi @nicokauffmann I saw the error in the log:

https://gist.github.com/nicokauffmann/49cf5ffb2f67554cc20105f3ce9fb19d#file-windows_dns_debug_output-txt-L101

RCODE 5 (REFUSED)

I think is some permissions is needed it.

I have similar case and we can found any solutions yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Gildus @bendbennett @nicokauffmann