Attachment 12198 Details for Bug 11520 – Patch for 4.3

[patch] Patch for 4.3

v43-hack-dns-tsig.patch (text/plain), 1.47 KB, created by Ralph Böhme on 2016-06-22 08:55:17 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ralph Böhme

Created: 2016-06-22 08:55:17 UTC

Size: 1.47 KB

patch

obsolete

>From 91975b847ad7a59b4151443eb9f5e3a573c14258 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 11 May 2016 17:53:36 +0200
>Subject: [PATCH] s4/dns_server: disable signing of DNS-TKEY responses
>
>DNS packet signing is broken in 4.3 and older. Fixes are available in
>master and 4.4. Backporting the complete patchset turned out to be too
>difficult, so we use this hack to get authenticated DDNS updates working
>again.
>
>By simply NOT signing out DNS-TKEY response, the client won't get a
>broken DNS-TSIG record which caused the client to not start the
>authenticated DDNS update.
>
>DNS RFCs do require signing TKEY responses, but luckily real world
>clients are forgiving and accept unsigned TKEY responses. This was
>tested with Windows 7.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>---
> source4/dns_server/dns_query.c | 1 -
> 1 file changed, 1 deletion(-)
>
>diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
>index 9e30b71..2795dd2 100644
>--- a/source4/dns_server/dns_query.c
>+++ b/source4/dns_server/dns_query.c
>@@ -525,7 +525,6 @@ static WERROR handle_tkey(struct dns_server *dns,
> 			ret_tkey->rdata.tkey_record.key_data = talloc_memdup(ret_tkey,
> 								reply.data,
> 								reply.length);
>-			state->sign = true;
> 			state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
> 			if (state->key_name == NULL) {
> 				return WERR_NOMEM;
>-- 
>2.5.0
>

Flags:

metze: review+

Actions: View

Attachments on bug 11520: 12103 | 12187 | 12197 | 12198