Document toolboxDocument toolbox

Troubleshooting GSS-TSIG

Owned by Sri Raghu
Last updated: Sept 06, 2024
2 min read

GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is used to authenticate DDNS updates. It is a variant of the TSIG authentication, which uses the Kerberos v5 authentication system. For more information, see Configuring GSS-TSIG. When GSS-TSIG does not function properly, you might have to troubleshoot it to ensure that DDNS updates are successful.

To troubleshoot GSS-TSIG from the Infoblox Portal, do the following:

  • In the Infoblox Portal, click Configure > Networking > DNS > DNS Servers.

  • Click ☰ and select Troubleshoot > GSS-TSIG for a single DNS server. 

  • In the Troubleshoot dialog, select one of the following GSS-TSIG diagnostic commands:
    • All Commands
    • Keytab: shows the information about the keytab installed on the DNS server.
    • Counters: shows the number of successful and failed attempts to accept a GSS security context. In practice, those attempts correspond to the number of initial TKEY queries for dynamic DNS updates made by using GSS-TSIG. For failed attempts, the number of failures for each cause is also shown, as well as the description of the error.
    • Crypto: shows the number of successful and failed GSS MIC verifications. In practice, this number corresponds to the number of DDNS update requests signed using GSS-TSIG. For failed verifications, the number of failures for each cause is also shown, as well as the description of the error.

  • Click Execute.

The results are shown in the GSS-TSIG DIAGNOSTIC COMMAND RESULTS pane.

To troubleshoot GSS-TSIG from the NIOS-X Server, do the following:

  1. In the Infoblox Portal, click Configure > Servers >  NIOS-X Servers.

  2. Select an NIOS-X Server.

  3. Select Service > Troubleshoot > GSS-TSIG. 

  4. In the Troubleshoot dialog, select one of the following GSS-TSIG diagnostic commands:
    • All Commands
    • Keytab: shows the information about the keytab installed on the NIOS-X Server.
    • Counters: shows the number of successful and failed attempts to accept a GSS security context. In practice, those attempts correspond to the number of initial TKEY queries for dynamic DNS updates made by using GSS-TSIG. For failed attempts, the number of failures for each cause is also shown, as well as the description of the error.
    • Crypto: shows the number of successful and failed GSS MIC verifications. In practice, this number corresponds to the number of DDNS update requests signed using GSS-TSIG. For failed verifications, the number of failures for each cause is also shown, as well as the description of the error.
  5. Click Execute.

The results are shown in the GSS-TSIG DIAGNOSTIC COMMAND RESULTS pane.