DNS TSIG updates need to check ACLs

Stefan (metze) Metzmacher metze at samba.org
Fri Nov 9 00:12:50 MST 2012

Am 08.11.2012 22:54, schrieb Kai Blin:
> On 2012-11-08 17:12, Andriy Syrovenko wrote:
> Hi Andriy,
>> I was thinking about filing a bug, but I am at a loss which product to
>> consider affected. S3? S4? BIND? Please advise.
> I think this is a BIND bug. It is, however, a bug we could work around
> in libaddns. I'm not sure what the other devs think.
> Any ideas? I don't like the workaround, but arguably libaddns never
> really checks the signature anyway, so the check that's happening is
> pretty useless.
> We will however run into this problem again in future if we ever switch
> to an implementation that follows the RFC for client-side GSS-TSIG checks.

I think it's a bug that we don't check, and it might the reason why some
had problems using aes keys for dns updates.

As with aes the acceptor subkey is different from the initiator subkey,
which means that the client may use a different session key for the


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121109/aadfe14c/attachment.pgp>

More information about the samba-technical mailing list