DNS TSIG updates need to check ACLs

Andrew Bartlett abartlet at samba.org
Wed Sep 5 20:13:57 MDT 2012


Just a reminder that with your GSS-TSIG work, you need to have the DNS
update code path check the ACL based on the session_info from the

Otherwise, we would allow any user in the domain to update any record,
which wouldn't be a good thing.

Fortunately DNS updates are still denied by default, so there is no need
to panic.  the dlz_bind9 code at dlz_ssumatch seems to have the right
stuff for checking the ACL, if you don't want to re-open the ldb and let
our ACL layer do it. 

Having some tests with a GSS-TSIG client attempting to update records it
is allowed and not allowed to update would be a good way to ensure we
don't accidentally re-open this later. 


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list