DNS TSIG updates need to check ACLs

Kai Blin kai at samba.org
Fri Nov 9 02:13:59 MST 2012

On 2012-11-09 10:08, Andriy Syrovenko wrote:


> Windows clients seems to be happy with both signed and not signed DNS
> responses. I think the proper fix may be to check if signature is
> present in the response; then if the signature is present, check it; if
> the signature is absent, just silently skip the check. This way it
> should work with the current versions of BIND and (probably) allows to
> fix the AES-related problem Metze mentioned a few posts ago. And Metze's
> patches look like a proper start in this direction to me.

Fair enough. :)


Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/

More information about the samba-technical mailing list