DNS TSIG updates need to check ACLs

Andriy Syrovenko andriys at gmail.com
Wed Nov 7 03:31:15 MST 2012

Hello Kai,

Sorry for disturbing you, but what's the decision? While looking through
the list of 4.0 release blockers (that was sent to the list recently) I
thought that the https://bugzilla.samba.org/show_bug.cgi?id=7466 might be

Prior to sending you this message I've checked the latest 3.6 release (i.e.
3.6.9) against the 4.0rc4 and the issue is still here:

bash-4.2# net ads dns register
DNS Update for svn01.xxx.intra failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!

Best regards,

2012/9/7 Kai Blin <kai at samba.org>

> On 2012-09-06 13:23, Kai Blin wrote:
> Hi Andriy,
> this is a bit more complicated. The TKEY RFC (2930) claims "Except for
> GSS-API mode, TKEY responses MUST always have DNS transaction
> authentication", so the TSIG is optional (see RFC2930, page 7).
> However, the GSS-TSIG RFC (3645) claims "the message MUST be signed with
> a TSIG record" (see RFC3645, page 14). So it looks like we're in a bit
> off a mess.
> I would still claim that we want to stick to the later RFC. But, seeing
> how libaddns does not verify the signature anyway, insisting on the
> signature seems a bit silly.
> Let me think about this a little more, please.
> Cheers,
> Kai
> --
> Kai Blin
> Worldforge developer http://www.worldforge.org/
> Wine developer http://wiki.winehq.org/KaiBlin
> Samba team member http://www.samba.org/samba/team/

More information about the samba-technical mailing list