DNS TSIG updates need to check ACLs
Amitay Isaacs
amitay at gmail.com
Thu Nov 8 17:16:23 MST 2012
Hi Andriy/Kai,
On Fri, Nov 9, 2012 at 8:54 AM, Kai Blin <kai at samba.org> wrote:
> On 2012-11-08 17:12, Andriy Syrovenko wrote:
>
> Hi Andriy,
>
>> I was thinking about filing a bug, but I am at a loss which product to
>> consider affected. S3? S4? BIND? Please advise.
>
> I think this is a BIND bug. It is, however, a bug we could work around
> in libaddns. I'm not sure what the other devs think.
>
> Any ideas? I don't like the workaround, but arguably libaddns never
> really checks the signature anyway, so the check that's happening is
> pretty useless.
>
> We will however run into this problem again in future if we ever switch
> to an implementation that follows the RFC for client-side GSS-TSIG checks.
I have reproduced the issue where net ads join is not able to update
DNS record. I will have to check with Andrew Bartlett for details on
how to fix this since the GSS-TSIG verification is being done using
gensec API. Unless, Kai, you have any suggestions on how to fix this.
Amitay.
More information about the samba-technical
mailing list