DNS TSIG updates need to check ACLs

Stefan (metze) Metzmacher metze at samba.org
Fri Nov 9 01:17:40 MST 2012

Grr, wrong attachment sorry...

Am 09.11.2012 09:11, schrieb Stefan (metze) Metzmacher:
> Am 09.11.2012 08:12, schrieb Stefan (metze) Metzmacher:
>> Am 08.11.2012 22:54, schrieb Kai Blin:
>>> On 2012-11-08 17:12, Andriy Syrovenko wrote:
>>> Hi Andriy,
>>>> I was thinking about filing a bug, but I am at a loss which product to
>>>> consider affected. S3? S4? BIND? Please advise.
>>> I think this is a BIND bug. It is, however, a bug we could work around
>>> in libaddns. I'm not sure what the other devs think.
>>> Any ideas? I don't like the workaround, but arguably libaddns never
>>> really checks the signature anyway, so the check that's happening is
>>> pretty useless.
>>> We will however run into this problem again in future if we ever switch
>>> to an implementation that follows the RFC for client-side GSS-TSIG checks.
>> I think it's a bug that we don't check, and it might the reason why some
>> people
>> had problems using aes keys for dns updates.
>> As with aes the acceptor subkey is different from the initiator subkey,
>> which means that the client may use a different session key for the
>> signature.
> Ok, after looking at a network capture and the code,
> I think we can fix lib/addns/dnsgss.c to work arround the problem.
> Please review and push the attached patches.
> metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 3433 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121109/735c7b7c/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121109/735c7b7c/attachment.pgp>

More information about the samba-technical mailing list