DNS TSIG updates need to check ACLs
Stefan (metze) Metzmacher
metze at samba.org
Fri Nov 9 01:11:52 MST 2012
Am 09.11.2012 08:12, schrieb Stefan (metze) Metzmacher:
> Am 08.11.2012 22:54, schrieb Kai Blin:
>> On 2012-11-08 17:12, Andriy Syrovenko wrote:
>>
>> Hi Andriy,
>>
>>> I was thinking about filing a bug, but I am at a loss which product to
>>> consider affected. S3? S4? BIND? Please advise.
>>
>> I think this is a BIND bug. It is, however, a bug we could work around
>> in libaddns. I'm not sure what the other devs think.
>>
>> Any ideas? I don't like the workaround, but arguably libaddns never
>> really checks the signature anyway, so the check that's happening is
>> pretty useless.
>>
>> We will however run into this problem again in future if we ever switch
>> to an implementation that follows the RFC for client-side GSS-TSIG checks.
>
> I think it's a bug that we don't check, and it might the reason why some
> people
> had problems using aes keys for dns updates.
>
> As with aes the acceptor subkey is different from the initiator subkey,
> which means that the client may use a different session key for the
> signature.
Ok, after looking at a network capture and the code,
I think we can fix lib/addns/dnsgss.c to work arround the problem.
Please review and push the attached patches.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 9151 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121109/e5649545/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121109/e5649545/attachment.pgp>
More information about the samba-technical
mailing list