Review request: DNS server implementation
idra at samba.org
Wed Oct 13 06:48:17 MDT 2010
On Wed, 2010-10-13 at 23:37 +1100, tridge at samba.org wrote:
> > Do you have any detail ?
> The problem my current patches fix is that it only accepts a fixed
> tkey-gssapi-credential and tkey-domain from named.conf.options. This
> is crazy. It should accept "DNS/*" or just any key in the keytab.
Yes this is true, it would be best to just accept * and let the gssapi
library find a match within the keys in the keytab.
> My next plans are:
> - make all the options that affect the TSIG code be settable and
> queryable without restarting bind, so samba can validate them
> - redo the TSIG debug code to give useful output when it refuses an
> - same with the debug code in nsupdate -g
> - see how possible it would be to LD_PRELOAD socket wrapper and uid
> wrapper into bind9, at least on linux, so we can possibly test this
> in an automated way on some systems
> - add ACL hooks in the backend API (this is harder than it seems at
> first, as the backends currently are storage only, with no way to
> say "no, you can't do that").
Yes this last one is going to be a very good thing. We thought about
adding that support too for a while, then run out of steam.
> But the real killer is the time to get patches in. We needed a new
> patch to cope with some of the clients in the SNIA lab. It would take
> ages to get this out, which means we'd be telling s4 users that they
> have to build their own version of bind. That is a big problem for us.
Or you can collaborate with distros to get the patches in sooner.
That's what we did with bind in Fedora/RHEL. As soon as we knew the
patches would be accepted upstream we added them to the current
I can see if I can get patches, for which you have at least a tentative
ack from upstream, into Fedora sooner rather than later. I am not the
maintainer of bind, but the maintainer is generally open to help out.
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical