Fedora placeholder, since in the end I created patch that seems to work. I'll send it to upstream, so the behavior can be changed at least there. +++ This bug was initially created as a clone of Bug #1261155 +++ ... --- Additional comment from Petr Spacek on 2015-09-10 14:10:31 CEST --- Okay then, in that case we have to fix a bug in nsupdate. nsupdate apparently exists on GSSAPI failure when called with option -g and does not process other command blocks (separated by 'send' command). This is different than behavior for other errors where nsupdate just skips the block which failed and continues with the next block of commands. ... --- Additional comment from Petr Spacek on 2015-09-10 14:58:10 CEST --- Reproducer: Store this in a file called "upd": update add nsupdate.test.redhat.com 666 IN A 192.0.2.1 send update add nsupdate.test.redhat.com 666 IN TXT "HELLo!" send And compare output from following commands: $ nsupdate /tmp/upd update failed: REFUSED update failed: REFUSED $ nsupdate -g /tmp/upd tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/xxx not found in Kerberos database. You can see that first run without GSSAPI tried both command blocks but the second run with GSSAPI failed on first command block and did not continue.
Created attachment 1072610 [details] patch changing the behavior based on upstream git master branch
patch sent to the upstream: [ISC-Bugs #40685] nsupdate: Don't exit on first GSSAPI error
merged to 9.9.9,9.9.9(sub),9.10.4,9.11.0: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=ff55c577ba8a95f763b8982b7ab5e4a980209a09
I'm not going to backport the change, it will be available in next upstream release. Closing UPSTREAM