samba 4 dns update dynamic

Roberto Farias bettoguaruja at
Fri Feb 15 13:36:46 MST 2013

Samuel Cabrero <scabrero <at>> writes:

> Hi Roberto,
> I have a set of patches for the samba DLZ and bind9 that allow to update 
> the zone using symmetric TSIG keys, working with ISC DHCP. It is a bit 
> tricky but works.
> The patch for bind9 is required to send the key to the DLZ 
> implementation, base64 encoded. The patch for the samba DLZ includes a 
> bison parser to read the session key from /run/named/session.key and the 
> keys in the file /etc/bind/keys. Both keys are compared to allow or deny 
> the update.
> I am not sure about the security implications of this approach, maybe 
> someone could have a look at it and comment on. You can find binary 
> packages for ubuntu with the patches in 
> and 
> Cheers.

Hi Samuel,

In my tests with Debian 6.0.6 + Bind 9.8.1-P1 + Samba 4.0.3 (DLZ), I received
the following message in the log:

named[859]: samba_dlz: starting transaction on zone
named[859]: client update '' denied
named[859]: samba_dlz: canceling transaction on zone

I'll test the Samba 4 on Ubuntu using the packages you mentioned

Thanks for the help.

More information about the samba-technical mailing list