samba 4 dns update dynamic

Roberto Farias bettoguaruja at hotmail.com
Fri Feb 15 13:36:46 MST 2013


Samuel Cabrero <scabrero <at> zentyal.com> writes:

> 
> Hi Roberto,
> 
> I have a set of patches for the samba DLZ and bind9 that allow to update 
> the zone using symmetric TSIG keys, working with ISC DHCP. It is a bit 
> tricky but works.
> 
> The patch for bind9 is required to send the key to the DLZ 
> implementation, base64 encoded. The patch for the samba DLZ includes a 
> bison parser to read the session key from /run/named/session.key and the 
> keys in the file /etc/bind/keys. Both keys are compared to allow or deny 
> the update.
> 
> I am not sure about the security implications of this approach, maybe 
> someone could have a look at it and comment on. You can find binary 
> packages for ubuntu with the patches in 
> https://launchpad.net/~kernevil/+archive/bind9 and 
> https://launchpad.net/~kernevil/+archive/samba4-bundled
> 
> Cheers.
> 

Hi Samuel,

In my tests with Debian 6.0.6 + Bind 9.8.1-P1 + Samba 4.0.3 (DLZ), I received
the following message in the log:

named[859]: samba_dlz: starting transaction on zone example.com
named[859]: client 192.168.200.100#48738: update 'example.com/IN' denied
named[859]: samba_dlz: canceling transaction on zone example.com

I'll test the Samba 4 on Ubuntu using the packages you mentioned

Thanks for the help.



More information about the samba-technical mailing list