Review request: DNS server implementation

simo idra at samba.org
Wed Oct 13 06:48:17 MDT 2010 

On Wed, 2010-10-13 at 23:37 +1100, tridge at samba.org wrote:
> > Do you have any detail ?
> 
> The problem my current patches fix is that it only accepts a fixed
> tkey-gssapi-credential and tkey-domain from named.conf.options. This
> is crazy. It should accept "DNS/*" or just any key in the keytab. 

Yes this is true, it would be best to just accept * and let the gssapi
library find a match within the keys in the keytab.

> My next plans are:
> 
>  - make all the options that affect the TSIG code be settable and
>    queryable without restarting bind, so samba can validate them
> 
>  - redo the TSIG debug code to give useful output when it refuses an
>    update
> 
>  - same with the debug code in nsupdate -g
> 
>  - see how possible it would be to LD_PRELOAD socket wrapper and uid
>    wrapper into bind9, at least on linux, so we can possibly test this
>    in an automated way on some systems
> 
>  - add ACL hooks in the backend API (this is harder than it seems at
>    first, as the backends currently are storage only, with no way to
>    say "no, you can't do that").

Yes this last one is going to be a very good thing. We thought about
adding that support too for a while, then run out of steam.

> But the real killer is the time to get patches in. We needed a new
> patch to cope with some of the clients in the SNIA lab. It would take
> ages to get this out, which means we'd be telling s4 users that they
> have to build their own version of bind. That is a big problem for us.

Or you can collaborate with distros to get the patches in sooner.
That's what we did with bind in Fedora/RHEL. As soon as we knew the
patches would be accepted upstream we added them to the current
distribution.

I can see if I can get patches, for which you have at least a tentative
ack from upstream, into Fedora sooner rather than later. I am not the
maintainer of bind, but the maintainer is generally open to help out.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list