Merge Request - DNS updates allow/deny for SAMBA_INTERAL dns server. Help PLEASE!

Matt Grant matt at mattgrant.net.nz
Fri Jul 22 07:02:01 UTC 2022


Hi All!

Want comments on code changes, and what further tests are required for
Samba test suite. Its been some time since my first MR, and this one is a
major
for the required test complexity?

Uri, would you be able to help me out again please to help get this
finished?
Thank you!

Mechanism for DNS update host/rrnet allow/deny lists. Three functions
dns_update_check_access(), dns_update_get_caddr() (gets subject address
for check from A, AAAA, and PTR records), and
dns_update_ipaddr_check_access() are backended by allow_access_flag_lo()
from lib/util/access.c using the already existing host allow/deny access
mechanism.

The motivation for this is to control what DNS dynamic updates get added
to the SAMBA_INTERNAL DNS in SOHO setups. With out this IPv6 dynamic
addresses from your ISP IPv6 delegated prefix end up in the AD DNS,
even when you have specified an fd00::/16 ULA prefix or RFC 1918 IPv4....
The dns update rrnet allow/deny lists are used for this, in combination
with an interfaces = lo fd14:beee:baaa::DEAD::BEEF/64 statement. Forward
and reverse DNS zones are supported.

Support for clients NOT updating the DNS, but a router running a DHCP
server with a dynamic DNS update client was added via the
dns updates ip auth allow/deny and dns updates allow/deny parameters.

Thus this patch gives SAMBA_INTERNAL dns server the best of both the above
set ups, making it as flexible as using Samba with Bind9 DLZ.

How would I test access lists for update source, and
auth by IP number?  Can't see how in test suite to bind update request
to a source IP address.


More information about the samba-technical mailing list