DNS TSIG updates need to check ACLs

[Andrew Bartlett]

Kai,

Just a reminder that with your GSS-TSIG work, you need to have the DNS
update code path check the ACL based on the session_info from the
ticket.

Otherwise, we would allow any user in the domain to update any record,
which wouldn't be a good thing.

Fortunately DNS updates are still denied by default, so there is no need
to panic.  the dlz_bind9 code at dlz_ssumatch seems to have the right
stuff for checking the ACL, if you don't want to re-open the ldb and let
our ACL layer do it. 

Having some tests with a GSS-TSIG client attempting to update records it
is allowed and not allowed to update would be a good way to ensure we
don't accidentally re-open this later. 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org