DNS TSIG updates need to check ACLs
Kai Blin
kai at samba.org
Fri Nov 9 02:13:59 MST 2012
On 2012-11-09 10:08, Andriy Syrovenko wrote:
Hi,
> Windows clients seems to be happy with both signed and not signed DNS
> responses. I think the proper fix may be to check if signature is
> present in the response; then if the signature is present, check it; if
> the signature is absent, just silently skip the check. This way it
> should work with the current versions of BIND and (probably) allows to
> fix the AES-related problem Metze mentioned a few posts ago. And Metze's
> patches look like a proper start in this direction to me.
Fair enough. :)
Cheers,
Kai
--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
More information about the samba-technical
mailing list