Can we please get the GSS-TSIG error fixed and testcase written for 4.0.5?
Günter Kukkukk
linux at kukkukk.com
Mon Mar 25 23:00:57 MDT 2013
Am Montag, 25. März 2013, 07:21:02 schrieb Andrew Bartlett:
> Michael,
>
> I'm wondering if I can call on your private offer to be a co-maintainer
> of the internal DNS server, and see if you can help sort out the
> GSS-TSIG issue Günter Kukkukk isolated earlier this year, that which
> causes GSS-TSIG errors with nsupdate due to us misunderstanding the TSIG
> protocol?
>
> There is already a patch (which may or may not be a small layering
> violation), but there isn't a way to testing this currently, to ensure
> we don't fall back into 'fantasy crypto' like we currently do.
>
> We have the pieces - the addns lib can do the check, as I understand it,
> and while we don't want to use that library long-term for testing, we
> really just need to do something - anything, even at a black box level
> around our 'net dns' command - to walk this code and check it's right.
>
> Is there any chance you could take this on? It would be really good to
> get this sorted for 4.0.5.
>
> Also, in the longer term, how do we want to maintain our DNS solutions?
> We have two under-maintained solutions, with both maintainers having
> other very important calls on their time. (We also have the remote
> CNAME lookup issue pending).
>
> Thanks,
>
> Andrew Bartlett
i've started again working on *current* dns issues.
Sure, there should be a testcase for the nsupdate -g TSIG-error...
The internal dns server _does_ the secure update - but responds
with an invalid packet. Often named on IRC as a "cosmetic" error - to
me a "fatal" error during a secure exchange...
BUT - atm my focus is more on other (really ugly) _failing_ dyn.
dns updates (no matter, whether secure or non-secure).
Atm the internal dns server does _not_ delete a DB dns entry when
the res_count drops to zero - with fatal errors when that entry
is used again lateron - which _often_ happens in reality.
A simple one:
- add an A record
- delete that A record
- add the same A record again
does NOT work!
Same happens with CNAME records pointing to such
a stale (leftover) entry.
(a CNAME alias name cannot be an existing name - here it
often fails refering to such stale entries)
Note - i'm not talking about samba-tool dns [add/delete...] !!!
(more about how the client(s) behave ...)
So DO NOT use samba-tool .... to check this ....
I've a patch for this one - doing tests atm.
Cheers, Günter
More information about the samba-technical
mailing list