The branch, v4-3-test has been updated
via f5bb81a s4/dns_server: disable signing of DNS-TKEY responses
from c20c7bf s3: docs: Fix "strict rename" doc to match code.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -----------------------------------------------------------------
commit f5bb81a920b5a2504ea77c7c931d214fb0bfaf76
Author: Stefan Metzmacher <[email protected]>
Date: Wed May 11 17:53:36 2016 +0200
s4/dns_server: disable signing of DNS-TKEY responses
DNS packet signing is broken in 4.3 and older. Fixes are available in
master and 4.4. Backporting the complete patchset turned out to be too
difficult, so we use this hack to get authenticated DDNS updates working
again.
By simply NOT signing out DNS-TKEY response, the client won't get a
broken DNS-TSIG record which caused the client to not start the
authenticated DDNS update.
DNS RFCs do require signing TKEY responses, but luckily real world
clients are forgiving and accept unsigned TKEY responses. This was
tested with Windows 7.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(v4-3-test): Karolin Seeger <[email protected]>
Autobuild-Date(v4-3-test): Thu Jun 23 15:35:39 CEST 2016 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source4/dns_server/dns_query.c | 1 -
1 file changed, 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 9e30b71..2795dd2 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -525,7 +525,6 @@ static WERROR handle_tkey(struct dns_server *dns,
ret_tkey->rdata.tkey_record.key_data =
talloc_memdup(ret_tkey,
reply.data,
reply.length);
- state->sign = true;
state->key_name = talloc_strdup(state->mem_ctx,
tkey->name);
if (state->key_name == NULL) {
return WERR_NOMEM;
--
Samba Shared Repository
