Can we please get the GSS-TSIG error fixed and testcase written for 4.0.5?

Thu Mar 28 02:52:57 MDT 2013

On Mon, Mar 25, 2013 at 2:21 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> Michael,
>
> I'm wondering if I can call on your private offer to be a co-maintainer
> of the internal DNS server, and see if you can help sort out the
> GSS-TSIG issue Günter Kukkukk isolated earlier this year, that which
> causes GSS-TSIG errors with nsupdate due to us misunderstanding the TSIG
> protocol?
>
> There is already a patch (which may or may not be a small layering
> violation), but there isn't a way to testing this currently, to ensure
> we don't fall back into 'fantasy crypto' like we currently do.
>
> We have the pieces - the addns lib can do the check, as I understand it,
> and while we don't want to use that library long-term for testing, we
> really just need to do something - anything, even at a black box level
> around our 'net dns' command - to walk this code and check it's right.
>
> Is there any chance you could take this on?  It would be really good to
> get this sorted for 4.0.5.
>
> Also, in the longer term, how do we want to maintain our DNS solutions?
> We have two under-maintained solutions, with both maintainers having
> other very important calls on their time.  (We also have the remote
> CNAME lookup issue pending).
>

Please do not forget about the MX record problem also:

https://bugzilla.samba.org/show_bug.cgi?id=9485

We originally deployed (clasicupgrade) using Samba's internal DNS server;
it was specifically the lack of functioning CNAME and MX records that
forced our move to BIND9_DLZ. I can't speak for everyone, but MX records
are a much higher priority for me. In many cases CNAME records can be
replaced with A records - it just requires more time spent maintaining
these records. There is no way to work around not having MX records under
any circumstances.

I'm now digging into what appears to be a 32-bit (Linux) specific problem
with MX records (INTERNAL and BIND9_DLZ). On a clean install of CentOS 6.x
32-bit or Ubuntu 12.04 and Samba 4 (all releases), I can create, but not
delete MX records OOTB.

https://lists.samba.org/archive/samba/2013-March/172319.html

In the process of troubleshooting this problem, I restored to a 64-bit
system and was instantly able to delete the MX records. Further testing
shows I can 100% duplicate the (MX) problem on a clean CentOS or Ubuntu +
Samba4 compile/provision. So far I've duplicated this on CentOS 6.3, 6.4
and Ubuntu 12.04 with all versions of Samba4 (4.0.0 - 4.0.4) on both a
physical system (Pentium 4) and in a VM. I'm not yet sure how, or if, the
MX problem and clients suddenly failing to update DNS are related.

Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>