[cifs-protocol] [MS-GSSA] DDNS TSIG MAC calculation vs DNS name compression
slow at samba.org
Tue May 24 15:53:18 UTC 2016
I'm seeking clarification about an interop issue we ran into in the
area of DNS TSIG MAC verification.
We observed the following (trace secure-updates-fail2-4.3.1.pcapng
1. Samba 4 DC
2. Windows 7 client attempts unauthenticated DDNS (p.7)
3. server rejects this (p.8)
4. Windows 7 client attemping DDNS update with TKEY/TSIG:
- Windows 7 client sends DNS request with TKEY record (p.14)
- server DNS response packet contains TKEY and TSIG records (p.16)
5. client does *not* send DNS update with TSIG, instead it goes back
to step 2
Looking closely at the TSIG server response, we noticed that Samba
uses DNS name compression  in the TSIG record (p.16, answer record,
Comparing against DDNS updates between a Windows DC and a Windows
client, we found that server and client avoid name compression in TKEY
and TSIG records.
Changing the Samba DNS response marshalling routines to not use name
compression fixed the interop issue and the tested Windows clients now
happily do TSIG protected DDNS updates (after fixing two related bugs
in our code ).
Neither RFC 2845, nor RFC 3645 or MS-GSSA cover this and mention how
names in TSIG and TKEY records should be marshalled.
Can you please confirm, that by sticking to the rule of "don't use
name compression in TSIG and TKEY records" we can avoid all interop
issues with Windows clients in this area?
Should this be added to MS-GSSA?
 RFC 1035, 4.1.4. Message compression
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 16800 bytes
Desc: not available
More information about the cifs-protocol