DNS TSIG updates need to check ACLs
Kai Blin
kai at samba.org
Thu Sep 6 05:23:31 MDT 2012
On 2012-09-06 12:41, Andriy Syrovenko wrote:
Hi Andriy,
> Well, resending the 4th time...
Sorry, I must have missed this before, but libaddns wasn't on my radar
until I spent last weekend in it's guts.
> The following patch (tested against Samba 3.6.5 - 3.6.7) fixes the very
> same issue for me. I.e. without this patch DDNS updates against S4 (tested
> with a14, a20 and several betas) always fail, while Windows clients (XP,
> Vista, 7 both x32 and x64) do update their DNS records without problem.
>
> diff -urN samba-3.6.5/lib/addns/dnsgss.c
> samba-3.6.5.fixed/lib/addns/dnsgss.c
> --- samba-3.6.5/lib/addns/dnsgss.c 2012-04-27 21:25:33.000000000 +0300
> +++ samba-3.6.5.fixed/lib/addns/dnsgss.c 2012-05-12 23:47:50.000000000
> +0300
> @@ -175,7 +175,7 @@
> * TODO: Compare id and keyname
> */
>
> - if ((resp->num_additionals != 1) ||
> + if (/*(resp->num_additionals != 1) ||*/
> (resp->num_answers == 0) ||
> (resp->answers[0]->type != QTYPE_TKEY)) {
> err = ERROR_DNS_INVALID_MESSAGE;
>
I don't think this is valid. According to the TKEY RFC, TKEY replies
MUST be signed, and the TSIG signature is in the additional records.
Against the internal server, this check pasess. I'm not sure if BIND
does the correct thing there, and I'm pretty sure that nsupdate doesn't
check for the signature. Maybe Windows clients ignore it, too. The
interesting question would be what the number of additional records is,
in your case. Can you get me a network capture of this?
Cheers,
Kai
--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
More information about the samba-technical
mailing list