DNS TSIG updates need to check ACLs

Amitay Isaacs amitay at gmail.com
Thu Nov 8 17:16:23 MST 2012

Hi Andriy/Kai,

On Fri, Nov 9, 2012 at 8:54 AM, Kai Blin <kai at samba.org> wrote:
> On 2012-11-08 17:12, Andriy Syrovenko wrote:
> Hi Andriy,
>> I was thinking about filing a bug, but I am at a loss which product to
>> consider affected. S3? S4? BIND? Please advise.
> I think this is a BIND bug. It is, however, a bug we could work around
> in libaddns. I'm not sure what the other devs think.
> Any ideas? I don't like the workaround, but arguably libaddns never
> really checks the signature anyway, so the check that's happening is
> pretty useless.
> We will however run into this problem again in future if we ever switch
> to an implementation that follows the RFC for client-side GSS-TSIG checks.

I have reproduced the issue where net ads join is not able to update
DNS record.  I will have to check with Andrew Bartlett for details on
how to fix this since the GSS-TSIG verification is being done using
gensec API. Unless, Kai, you have any suggestions on how to fix this.


More information about the samba-technical mailing list