[Samba] Secure dynamic update failure with internal DNS
d tbsky
tbskyd at gmail.com
Mon Nov 16 07:08:24 UTC 2015
2015-11-10 22:07 GMT+08:00 James <lingpanda101 at gmail.com>:
> I't appears all versions of Samba 4.2.X allow secure updates. It's
>> transitioning to any version of Samba 4.3.X that prevents secure
>> updates. Looking at the Wireshark captures of a successful update
>>
>> https://www.cloudshark.org/captures/79e72c42de44
>>
>> I see two transactions concerning the TKEY. I also see the update
>> request from the client signed with the TSIG.
>>
>> Looking at a failed update
>>
>> https://www.cloudshark.org/captures/44f706b2cc61
>>
>> I see three transactions concerning the TKEY. I also am missing
>> the TSIG with the update request from the client. I do see a TSIG
>> with the TKEY exchange from the DC.
>>
>> The TSIG as far as I know, should not be sent in the additional
>> records section of the TKEY exchange. Secure update process fails
>> during the TKEY exchange. This causes the client to repeat the
>> whole DNS query exchange.
>>
>> The client should send the dynamic update request immediately
>> after the TKEY exchange has taken place. The lack of the TSIG with
>> the client update explains why Samba reports 'Update not allowed
>> for unsigned packet' on the second update request.
>>
>>
>> -- -James
>>
>
hi:
just upgrade to 4.3.1 and got the same issue. the good part is: after
reading your mail, I now understand better how secure dns update is working.
thanks a lot for your information.
Regards,
tbskyd
More information about the samba
mailing list