DNS TSIG updates need to check ACLs

Tue Nov 13 09:20:36 MST 2012

Hi Metze, they look good to me, but I thought Kai was going to look and
ack/nack them given he is the one most involved with DNs stuff.

If he doesn't reply shortly I'll push them.

Simo.

On Tue, 2012-11-13 at 09:10 +0100, Stefan (metze) Metzmacher wrote:
> Hi,
> 
> is it possible that someone review and push this patches?
> 
> Thanks!
> 
> metze
> 
> > Am 09.11.2012 09:11, schrieb Stefan (metze) Metzmacher:
> >> Am 09.11.2012 08:12, schrieb Stefan (metze) Metzmacher:
> >>> Am 08.11.2012 22:54, schrieb Kai Blin:
> >>>> On 2012-11-08 17:12, Andriy Syrovenko wrote:
> >>>>
> >>>> Hi Andriy,
> >>>>
> >>>>> I was thinking about filing a bug, but I am at a loss which product to
> >>>>> consider affected. S3? S4? BIND? Please advise.
> >>>>
> >>>> I think this is a BIND bug. It is, however, a bug we could work around
> >>>> in libaddns. I'm not sure what the other devs think.
> >>>>
> >>>> Any ideas? I don't like the workaround, but arguably libaddns never
> >>>> really checks the signature anyway, so the check that's happening is
> >>>> pretty useless.
> >>>>
> >>>> We will however run into this problem again in future if we ever switch
> >>>> to an implementation that follows the RFC for client-side GSS-TSIG checks.
> >>>
> >>> I think it's a bug that we don't check, and it might the reason why some
> >>> people
> >>> had problems using aes keys for dns updates.
> >>>
> >>> As with aes the acceptor subkey is different from the initiator subkey,
> >>> which means that the client may use a different session key for the
> >>> signature.
> >>
> >> Ok, after looking at a network capture and the code,
> >> I think we can fix lib/addns/dnsgss.c to work arround the problem.
> >>
> >> Please review and push the attached patches.
> >>
> >> metze
> >>

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>