DNS TSIG updates need to check ACLs

Kai Blin kai at samba.org
Thu Sep 6 16:04:57 MDT 2012

On 2012-09-06 13:23, Kai Blin wrote:
Hi Andriy,

this is a bit more complicated. The TKEY RFC (2930) claims "Except for
GSS-API mode, TKEY responses MUST always have DNS transaction
authentication", so the TSIG is optional (see RFC2930, page 7).
However, the GSS-TSIG RFC (3645) claims "the message MUST be signed with
a TSIG record" (see RFC3645, page 14). So it looks like we're in a bit
off a mess.

I would still claim that we want to stick to the later RFC. But, seeing
how libaddns does not verify the signature anyway, insisting on the
signature seems a bit silly.

Let me think about this a little more, please.

Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120907/b6400f58/attachment.pgp>

More information about the samba-technical mailing list