DNS TSIG updates need to check ACLs
Kai Blin
kai at samba.org
Thu Sep 6 16:04:57 MDT 2012
On 2012-09-06 13:23, Kai Blin wrote:
Hi Andriy,
this is a bit more complicated. The TKEY RFC (2930) claims "Except for
GSS-API mode, TKEY responses MUST always have DNS transaction
authentication", so the TSIG is optional (see RFC2930, page 7).
However, the GSS-TSIG RFC (3645) claims "the message MUST be signed with
a TSIG record" (see RFC3645, page 14). So it looks like we're in a bit
off a mess.
I would still claim that we want to stick to the later RFC. But, seeing
how libaddns does not verify the signature anyway, insisting on the
signature seems a bit silly.
Let me think about this a little more, please.
Cheers,
Kai
--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120907/b6400f58/attachment.pgp>
More information about the samba-technical
mailing list