DNS TSIG updates need to check ACLs

Kai Blin kai at samba.org
Thu Nov 8 14:54:11 MST 2012

On 2012-11-08 17:12, Andriy Syrovenko wrote:

Hi Andriy,

> I was thinking about filing a bug, but I am at a loss which product to
> consider affected. S3? S4? BIND? Please advise.

I think this is a BIND bug. It is, however, a bug we could work around
in libaddns. I'm not sure what the other devs think.

Any ideas? I don't like the workaround, but arguably libaddns never
really checks the signature anyway, so the check that's happening is
pretty useless.

We will however run into this problem again in future if we ever switch
to an implementation that follows the RFC for client-side GSS-TSIG checks.


Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121108/ec9bc23f/attachment.pgp>

More information about the samba-technical mailing list