terraform-provider-dns icon indicating copy to clipboard operation
terraform-provider-dns copied to clipboard
verified publisher icon hashicorp

Terraform crash with DNS provider

Open ghost opened this issue 4 years ago • 5 comments

This issue was originally opened by @ba-work as hashicorp/terraform#27931. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform version v0.14.7
+ provider registry.terraform.io/hashicorp/dns v3.1.0

Terraform Configuration Files

provider "dns" {
  update {
    server = "dc01.fake.domain"
    gssapi {
      realm    = "fake.domain"
      username = "domainUser"
      password = "domainPass"
    }
  }
}

resource "dns_a_record_set" "test" {
  zone      = ".dedicated.zone."
  name      = "*.s"
  addresses = ["10.10.10.10"]
}

Debug Output

https://gist.github.com/ba-work/8ff4de2301b6144e3c4a7b553fd09344

Crash Output

https://gist.github.com/ba-work/53fed20d42cce1f1ef3b4588dab9968a

Expected Behavior

I was testing the new GSS-TSIG support in the DNS provider. Tried to create a wildcard entry and accidently included a leading "." in front of the zone. Terraform should've put out an error as this is not a valid zone.

Perhaps a related issue, wildcard entries do not work at all via GSS-TSIG and give a: Error updating DNS record: The message or signature supplied for verification has been altered

Actual Behavior

Crash

Steps to Reproduce

  1. terraform init
  2. terraform apply

Additional Context

Obviously you need pre exiting AD DNS with domain auth to try this.

References

ghost avatar Feb 25 '21 20:02 ghost

Thanks for raising the issue, @ba-work. @bodgit, do you have any ideas on this?

kmoe avatar Feb 25 '21 20:02 kmoe

There's a dedicated validator function for zone names so it should be possible to update it to reject a leading period.

For wildcard records, Windows doesn't seem to accept them via dynamic DNS. I've tried using nsupdate and that doesn't work either so I don't believe it's a bug in the code. I suspect Microsoft only envisaged dynamic DNS for hosts updating their own records although it does work for more than just A and PTR records, just not wildcards.

bodgit avatar Feb 25 '21 21:02 bodgit

@ba-work @bodgit

Is creating wildcard entries supported ?

i get an error when trying to do

resource "dns_a_record_set" "test" {
  zone      = "my.zone."
  name      = "*.something"
  addresses = ["10.10.10.10"]
}

Error: Error updating DNS record: 5 (REFUSED)

erSitzt avatar Jan 19 '22 15:01 erSitzt

Hi I have same issue with updating wildcard dns records How do I create a wildcard (*.test) record

`provider "dns" { update { server = "sd-dc01.nko.test" transport = "tcp" gssapi { realm = "NKO.TEST" username = var.ms_user password = var.ms_pass } } }

resource "dns_a_record_set" "a" { zone = "nko.test." ttl = 3600 name = "*.test" addresses = ["8.8.8.8"] } `

` 2022-02-10T13:25:07.792+0300 [INFO] provider.terraform-provider-dns_v3.2.1_x5: 2022/02/10 13:25:07 [DEBUG] Receiving DNS message from server (sd-dc01.nko.test:53): ;; opcode: UPDATE, status: REFUSED, id: 35331 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION: ;nko.test. IN SOA

;; AUTHORITY SECTION: *.test.nko.test. 3600 IN A 8.8.8.8

;; ADDITIONAL SECTION:

;; TSIG PSEUDOSECTION: ; 846576202.sig-sd-dc01.nko.test. 0 CLASS255 TSIG gss-tsig. 20220210102507 300 28 040404FFFFFFFFFF0000000062D629485

│ Error: Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator `

godj05 avatar Feb 10 '22 10:02 godj05

@godj05 Which version of the Windows Server are you using? I get the same problem when running Windows Server 2022, but for every update (wildcard and non-wildcard domains). Is there anything specific I'd need to change in the AD User permissions? Btw, I'm using the Domain Administrator in the gssapi config. Any update would be highly appreciated! Thanks

ChristianLempa avatar May 18 '22 14:05 ChristianLempa