diff --git a/CHANGES b/CHANGES
index 83b76cdd75..7fa84cad09 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+4.2.0-dev.208 | 2021-09-23 17:48:13 +0200
+
+  * Fix and extend protocol forwarding/logging in dce_rpc-auth.
+    (FOX-DS)
+
 4.2.0-dev.205 | 2021-09-23 12:24:06 +0200
 
   * Avoid allocation of duplicate zero-length strings for new
diff --git a/VERSION b/VERSION
index b89ddb470f..93866fa7a7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.2.0-dev.205
+4.2.0-dev.208
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
index d413abd39e..30ca0eeaec 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
@@ -6,11 +6,13 @@ refine connection DCE_RPC_Conn += {
 	%member{
 		zeek::analyzer::Analyzer *gssapi;
 		zeek::analyzer::Analyzer *ntlm;
+		zeek::analyzer::Analyzer *krb;
 	%}
 
 	%init{
 		ntlm = 0;
 		gssapi = 0;
+		krb = 0;
 	%}
 
 	%cleanup{
@@ -24,24 +26,47 @@ refine connection DCE_RPC_Conn += {
 			ntlm->Done();
 			delete ntlm;
 			}
+		if ( krb )
+			{
+			krb->Done();
+			delete krb;
+			}
+
 	%}
 
 	function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool
 		%{
-		switch ( ${auth.type} )
+		switch ( ${auth.type} )  // https://social.msdn.microsoft.com/Forums/en-US/44212c32-a4f6-4960-8799-0e00821650f4/msrpc-and-dcerpc-security?forum=os_windowsprotocols
 			{
 			case 0x09:
 				if ( ! gssapi )
-					gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
+					gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn());
 				if ( gssapi )
 					gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
 				break;
+
+			case 0x10:
+				if ( ! krb )
+					krb = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
+				if ( krb )
+					krb->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
+				break;
+
 			case 0x0a:
 				if ( ! ntlm )
 					ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
 				if ( ntlm )
 					ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
 				break;
+
+			case 0x0e:
+				zeek_analyzer()->Weird("tls_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
+				break;
+
+			case 0x44:
+				zeek_analyzer()->Weird("netlogon_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
+				break;
+
 			default:
 				zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
 				break;
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
new file mode 100644
index 0000000000..d4feda9392
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dce_rpc
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
+#types	time	string	addr	port	addr	port	interval	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.10.121	58774	10.10.10.100	49676	0.000758	49676	netlogon	NetrLogonSamLogonWithFlags
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
new file mode 100644
index 0000000000..97fcc0b7e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.10.121	58774	10.10.10.100	49676	netlogon_dce_rpc_auth_type	68	F	zeek	DCE_RPC
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
new file mode 100644
index 0000000000..cb6a77ebf5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntlm
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	server_nb_computer_name	server_dns_computer_name	server_tree_name	success
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.10.10.121	58772	10.10.10.120	54784	-	-	-	CBTH-WS-2	CBTH-WS-2.blackclover.local	blackclover.local	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap b/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap
new file mode 100644
index 0000000000..3de5d2c983
Binary files /dev/null and b/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap differ
diff --git a/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap b/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap
new file mode 100644
index 0000000000..fc5574256b
Binary files /dev/null and b/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap differ
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
new file mode 100644
index 0000000000..03560c31e1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
@@ -0,0 +1,7 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_netlogon.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff dce_rpc.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm
+@load base/frameworks/notice/weird
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek
new file mode 100644
index 0000000000..6188eb10bb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek
@@ -0,0 +1,5 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_ntlm.pcap %INPUT
+# @TEST-EXEC: btest-diff ntlm.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 1327e53177..9590a998f2 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-44cc696ed070bf7569848437ab1368d557ace4e5
+67f592e6a84d236aaf5cc08c91c71625a095e49a