DNS TSIG updates need to check ACLs

Stefan (metze) Metzmacher metze at samba.org
Tue Nov 13 09:23:58 MST 2012 

Hi Simo,

> Hi Metze, they look good to me, but I thought Kai was going to look and
> ack/nack them given he is the one most involved with DNs stuff.
> 
> If he doesn't reply shortly I'll push them.

Thanks, but Andrew already pushed them.

metze

> On Tue, 2012-11-13 at 09:10 +0100, Stefan (metze) Metzmacher wrote:
>> Hi,
>>
>> is it possible that someone review and push this patches?
>>
>> Thanks!
>>
>> metze
>>
>>> Am 09.11.2012 09:11, schrieb Stefan (metze) Metzmacher:
>>>> Am 09.11.2012 08:12, schrieb Stefan (metze) Metzmacher:
>>>>> Am 08.11.2012 22:54, schrieb Kai Blin:
>>>>>> On 2012-11-08 17:12, Andriy Syrovenko wrote:
>>>>>>
>>>>>> Hi Andriy,
>>>>>>
>>>>>>> I was thinking about filing a bug, but I am at a loss which product to
>>>>>>> consider affected. S3? S4? BIND? Please advise.
>>>>>>
>>>>>> I think this is a BIND bug. It is, however, a bug we could work around
>>>>>> in libaddns. I'm not sure what the other devs think.
>>>>>>
>>>>>> Any ideas? I don't like the workaround, but arguably libaddns never
>>>>>> really checks the signature anyway, so the check that's happening is
>>>>>> pretty useless.
>>>>>>
>>>>>> We will however run into this problem again in future if we ever switch
>>>>>> to an implementation that follows the RFC for client-side GSS-TSIG checks.
>>>>>
>>>>> I think it's a bug that we don't check, and it might the reason why some
>>>>> people
>>>>> had problems using aes keys for dns updates.
>>>>>
>>>>> As with aes the acceptor subkey is different from the initiator subkey,
>>>>> which means that the client may use a different session key for the
>>>>> signature.
>>>>
>>>> Ok, after looking at a network capture and the code,
>>>> I think we can fix lib/addns/dnsgss.c to work arround the problem.
>>>>
>>>> Please review and push the attached patches.
>>>>
>>>> metze
>>>>
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121113/2d66600b/attachment.pgp>

More information about the samba-technical mailing list