DNS TSIG updates need to check ACLs
abartlet at samba.org
Wed Sep 5 20:13:57 MDT 2012
Just a reminder that with your GSS-TSIG work, you need to have the DNS
update code path check the ACL based on the session_info from the
Otherwise, we would allow any user in the domain to update any record,
which wouldn't be a good thing.
Fortunately DNS updates are still denied by default, so there is no need
to panic. the dlz_bind9 code at dlz_ssumatch seems to have the right
stuff for checking the ACL, if you don't want to re-open the ldb and let
our ACL layer do it.
Having some tests with a GSS-TSIG client attempting to update records it
is allowed and not allowed to update would be a good way to ensure we
don't accidentally re-open this later.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical