DNS TSIG updates need to check ACLs
Andrew Bartlett
abartlet at samba.org
Wed Nov 14 03:21:07 MST 2012
On Wed, 2012-11-14 at 08:05 +0100, Kai Blin wrote:
> On 2012-11-13 17:20, simo wrote:
> > Hi Metze, they look good to me, but I thought Kai was going to look
> > and ack/nack them given he is the one most involved with DNs
> > stuff.
>
> Well, I don't like them, but it's easier to work around the BIND bug
> on our side than get every BIND version out there fixed, and arguably
> libaddns doesn't ever do anything with the signature.
>
> I'm concerned that we'll regress once we phase out libaddns in favour
> of libcli/dns once the gss-tsig logic is also implemented there, but
> we'll just have to deal with that when we get there.
>
> There's no value in not making this work for our users.
On all of the above I totally agree.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list