DNS TSIG updates need to check ACLs

[Stefan (metze) Metzmacher]

Hi,

is it possible that someone review and push this patches?

Thanks!

metze

> Am 09.11.2012 09:11, schrieb Stefan (metze) Metzmacher:
>> Am 09.11.2012 08:12, schrieb Stefan (metze) Metzmacher:
>>> Am 08.11.2012 22:54, schrieb Kai Blin:
>>>> On 2012-11-08 17:12, Andriy Syrovenko wrote:
>>>>
>>>> Hi Andriy,
>>>>
>>>>> I was thinking about filing a bug, but I am at a loss which product to
>>>>> consider affected. S3? S4? BIND? Please advise.
>>>>
>>>> I think this is a BIND bug. It is, however, a bug we could work around
>>>> in libaddns. I'm not sure what the other devs think.
>>>>
>>>> Any ideas? I don't like the workaround, but arguably libaddns never
>>>> really checks the signature anyway, so the check that's happening is
>>>> pretty useless.
>>>>
>>>> We will however run into this problem again in future if we ever switch
>>>> to an implementation that follows the RFC for client-side GSS-TSIG checks.
>>>
>>> I think it's a bug that we don't check, and it might the reason why some
>>> people
>>> had problems using aes keys for dns updates.
>>>
>>> As with aes the acceptor subkey is different from the initiator subkey,
>>> which means that the client may use a different session key for the
>>> signature.
>>
>> Ok, after looking at a network capture and the code,
>> I think we can fix lib/addns/dnsgss.c to work arround the problem.
>>
>> Please review and push the attached patches.
>>
>> metze
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 3433 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121113/a5fb6a3f/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121113/a5fb6a3f/attachment.pgp>