terraform-provider-dns: Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator
Hello,
I’m trying to create an A record into DNS Windows Server. I’m trying to use it with gssapi because I already use kinit to get authenticate with kerberos ticket. But once I apply my terraform I got the following error :
terraform apply tfplan
dns_a_record_set.dns: Creating...
╷
│ Error: Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator
│
│ with dns_a_record_set.dns,
│ on main.tf line 156, in resource "dns_a_record_set" "dns":
│ 156: resource "dns_a_record_set" "dns" {
│
╵
Did someone have the same issue ? I don’t really understand what the error message explain to be honnest.
Terraform Version
terraform -v
Terraform v1.0.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/dns v3.2.1
Affected Resource(s)
- dns_a_record_set
Terraform Configuration Files
variable "hostname" {
type = string
}
variable "ip_address" {
type = string
validation {
condition = can(regex("^192\\.168\\.22\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", var.ip_address))
error_message = "You should provide an IPv4 in CIDR 192.168.22.0/24."
}
}
provider "dns" {
update {
server = "dns.domain.lan"
gssapi {
realm = "DOMAIN.LAN"
username = "terraform"
password = "***"
}
}
}
resource "dns_a_record_set" "dns" {
zone = "domain.lan."
name = var.hostname
addresses = [var.ip_address]
}
Expected Behavior
Create the A record
Actual Behavior
Error when creating the A record
Steps to Reproduce
terraform apply
Important Factoids
My Kerberos ticket is valid, as I use it for over things. My computer is not part of the Windows Active Directory. Here is my krk5.conf :
[logging]
default = FILE:/var/log/krb5lib.log
[libdefaults]
default_realm = DOMAIN.LAN
dns_fallback = no
dns_lookup_kdc = no
[realms]
DOMAIN.LAN = {
default_principal_flags = +preauth
admin_server = dns.domain.lan
kdc = dns.domain.lan
default_domain = DOMAIN.LAN
dns_lookup_kdc = false
dns_lookup_realm = false
}
[domain_realm]
.domain.lan = DOMAIN.LAN
domain.lan = DOMAIN.LAN
References
This issue look similar, but they said that A record are OK for them:
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 6
- Comments: 21 (4 by maintainers)
Commits related to this issue
- bug https://github.com/hashicorp/terraform-provider-dns/issues/160 — committed to Skuratau/tsig by Skuratau 3 years ago
hey @mateuszdrab , regarding external-dns and C record, please check this ensure you set
--txt-prefixhttps://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/values.yaml#L113For me, it was resolved after I implemented two things:
Nonsecuredynamic updates for the managed hosted zone. KeptSecured only.Create all child permissionsin the managed hosted zone. This permission might be too permissive, depending on your use-case, but the point is that the user should have the right to do what it needs to).if both or one of these is not implemented I got the same error
Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiatorYes, generally you cannot mix a CNAME record with any other record type for a given node:
I’m creating A record, didn’t try with CNAME.
I set dynamic updates to “secured only” to the hosted zone and it works for me
I am able to reproduce this on windows dns server. It appears to only happen on the first request to a zone. The request says it fails but the record is created. subsequent applies work fine. The relevant log shows the dns request returning a refused status
update: request again fail after a certain time with no requests. in my case i performed an apply successfully and then after a few hours a destroy failed the first time with the same message and the subsequent destroy worked
Appears to be thrown from
https://github.com/jcmturner/gokrb5/blob/v8.4.2/gssapi/MICToken.go#L144 which is called by https://github.com/bodgit/tsig/blob/v1.1.1/gss/gokrb5.go#L212
update2:
i have narrowed it down to this line of code https://github.com/ns1/tsig/blob/master/gss/gokrb5.go#L150
updating to match the ns1 fork parameters https://github.com/ns1/tsig/blob/master/gss/gokrb5.go#L150 resolves the issue. i really have no idea what the difference in parameters makes but it appears to be an issue that can only be addressed with the tsig package.
Hello SamKirsh,
Thanks for your reply.
I checked, and it doesn’t exist in my DNS in any record type.