Review request: DNS server implementation

tridge at tridge at
Wed Oct 13 06:37:01 MDT 2010

 > Do you have any detail ?

The problem my current patches fix is that it only accepts a fixed
tkey-gssapi-credential and tkey-domain from named.conf.options. This
is crazy. It should accept "DNS/*" or just any key in the keytab. 

That's just the start though. The problem is debugging it. I got it to
the stage of "it works for me" ages ago, but so many users have
managed to find interesting ways for it not to work for them, and then
debugging it is really hard. With mismatched bind versions, mismatched
krb5 libs, mismatched resolver libs and different distros conventions
there are just too many variables.

 > So far we haven't seen major problems, but we also had a dedicate
 > person that knew the bind code base (and wrote bind-dyndb-ldap) and
 > did most of the testing.  But if there are intrinsic kerberos
 > problems I am more than happy to help where I can.

My next plans are:

 - make all the options that affect the TSIG code be settable and
   queryable without restarting bind, so samba can validate them

 - redo the TSIG debug code to give useful output when it refuses an

 - same with the debug code in nsupdate -g

 - see how possible it would be to LD_PRELOAD socket wrapper and uid
   wrapper into bind9, at least on linux, so we can possibly test this
   in an automated way on some systems

 - add ACL hooks in the backend API (this is harder than it seems at
   first, as the backends currently are storage only, with no way to
   say "no, you can't do that").

But the real killer is the time to get patches in. We needed a new
patch to cope with some of the clients in the SNIA lab. It would take
ages to get this out, which means we'd be telling s4 users that they
have to build their own version of bind. That is a big problem for us.

Cheers, Tridge

More information about the samba-technical mailing list