DNS TSIG updates need to check ACLs

Andriy Syrovenko andriys at gmail.com
Fri Nov 9 02:08:57 MST 2012


Windows clients seems to be happy with both signed and not signed DNS
responses. I think the proper fix may be to check if signature is present
in the response; then if the signature is present, check it; if the
signature is absent, just silently skip the check. This way it should work
with the current versions of BIND and (probably) allows to fix the
AES-related problem Metze mentioned a few posts ago. And Metze's patches
look like a proper start in this direction to me.


2012/11/9 Kai Blin <kai at samba.org>

> On 2012-11-09 09:17, Stefan (metze) Metzmacher wrote:
> Hi Metze,
> >> Ok, after looking at a network capture and the code,
> >> I think we can fix lib/addns/dnsgss.c to work arround the problem.
> >>
> >> Please review and push the attached patches.
> Yes, that's pretty much what Andriy suggested in September. I'm not
> completely happy with that change, because it effectively just hides
> that BIND isn't behaving correctly. If we ever ditch libaddns for
> something that does a correct check, we'll run into the problem again.

More information about the samba-technical mailing list