[cifs-protocol] [REG:116052414204136] [MS-GSSA] DDNS TSIG MAC calculation vs DNS name compression
obaidf at microsoft.com
Thu Jun 2 18:40:48 UTC 2016
Thanks for the trace. Looking into it.
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
From: Ralph Boehme [mailto:slow at samba.org]
Sent: Wednesday, May 25, 2016 1:50 AM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: metze at samba.org; Garming Sam <garming at catalyst.net.nz>; cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: Re: [REG:116052414204136] [MS-GSSA] DDNS TSIG MAC calculation vs DNS name compression
attached. Please see packets 25-32.
On Tue, May 24, 2016 at 10:06:41PM +0000, Obaid Farooqi wrote:
> Hi Ralph:
> I'll help you with this issue and will be in touch as soon as I have an answer.
> Can you please send me the network trace for the Windows to Windows case?
> Obaid Farooqi
> Escalation Engineer | Microsoft
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
> -----Original Message-----
> From: "Bryan Burgin" <bburgin at microsoft.com>
> Sent: Tuesday, May 24, 2016 10:59 AM
> To: "Ralph Boehme" <slow at samba.org>
> Cc: "metze at samba.org" <metze at samba.org>; "Garming Sam" <garming at catalyst.net.nz>; "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
> Subject: [REG:116052414204136] [MS-GSSA] DDNS TSIG MAC calculation vs DNS name compression
> [Dochelp to bcc]
> [+case number, +casemail]
> Hi Ralph,
> Thank you for your question. We created SR 116052414204136 to track this issue. An engineer from the protocols team will contact you soon.
> -----Original Message-----
> From: Ralph Boehme [mailto:slow at samba.org]
> Sent: Tuesday, May 24, 2016 8:53 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: metze at samba.org; Garming Sam <garming at catalyst.net.nz>; cifs-protocol at lists.samba.org
> Subject: [MS-GSSA] DDNS TSIG MAC calculation vs DNS name compression
> Hello Dochelp!
> I'm seeking clarification about an interop issue we ran into in the area of DNS TSIG MAC verification.
> We observed the following (trace secure-updates-fail2-4.3.1.pcapng
> 1. Samba 4 DC
> 2. Windows 7 client attempts unauthenticated DDNS (p.7)
> 3. server rejects this (p.8)
> 4. Windows 7 client attemping DDNS update with TKEY/TSIG:
> - Windows 7 client sends DNS request with TKEY record (p.14)
> - server DNS response packet contains TKEY and TSIG records (p.16)
> 5. client does *not* send DNS update with TSIG, instead it goes back
> to step 2
> Looking closely at the TSIG server response, we noticed that Samba uses DNS name compression  in the TSIG record (p.16, answer record, name field).
> Comparing against DDNS updates between a Windows DC and a Windows client, we found that server and client avoid name compression in TKEY and TSIG records.
> Changing the Samba DNS response marshalling routines to not use name compression fixed the interop issue and the tested Windows clients now happily do TSIG protected DDNS updates (after fixing two related bugs in our code ).
> Neither RFC 2845, nor RFC 3645 or MS-GSSA cover this and mention how names in TSIG and TKEY records should be marshalled.
> Can you please confirm, that by sticking to the rule of "don't use name compression in TSIG and TKEY records" we can avoid all interop issues with Windows clients in this area?
> Should this be added to MS-GSSA?
>  RFC 1035, 4.1.4. Message compression  <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgit.samba.org%2f%3fp%3dslow%2fsamba.git%3ba%3dlog%3bh%3drefs%2fheads%2fdns-tkey&data=01%7c01%7cobaidf%40microsoft.com%7cbc6c46108b914be8387a08d38468bebd%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=4pmkm3Bw0h2FGh1%2beuYEg3xeHxjGsvcrrd4tpntLPZQ%3d>
More information about the cifs-protocol