DNS TSIG updates need to check ACLs

Andrew Bartlett abartlet at samba.org
Wed Nov 14 03:21:07 MST 2012

On Wed, 2012-11-14 at 08:05 +0100, Kai Blin wrote:
> On 2012-11-13 17:20, simo wrote:
> > Hi Metze, they look good to me, but I thought Kai was going to look
> > and ack/nack them given he is the one most involved with DNs
> > stuff.
> Well, I don't like them, but it's easier to work around the BIND bug
> on our side than get every BIND version out there fixed, and arguably
> libaddns doesn't ever do anything with the signature.
> I'm concerned that we'll regress once we phase out libaddns in favour
> of libcli/dns once the gss-tsig logic is also implemented there, but
> we'll just have to deal with that when we get there.
> There's no value in not making this work for our users.

On all of the above I totally agree.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list