Bug 14321 - Bind_dlz does not provide ACLs support for its zones and dynamic update does not work
Summary: Bind_dlz does not provide ACLs support for its zones and dynamic update does ...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS plugin (BIND DLZ) (show other bugs)
Version: 4.12.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Amitay Isaacs
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-03-16 09:18 UTC by Dario Lesca
Modified: 2022-10-13 09:58 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Dario Lesca 2020-03-16 09:18:57 UTC
Since Samba bind_dlz implementation does not provide ACLs support for the
zones it manages, dynamically updating those zones does not work.

Technical details by Alexander Bokovoy reported in this tread:

In bin/named/update.c, update_action() code starts with:

        CHECK(dns_zone_getdb(zone, &db));
        zonename = dns_db_origin(db);
        zoneclass = dns_db_class(db);
        dns_zone_getssutable(zone, &ssutable);

         * Update message processing can leak record existance information
         * so check that we are allowed to query this zone.  Additionally
         * if we would refuse all updates for this zone we bail out here.
        CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
                            dns_zone_getupdateacl(zone), ssutable));

The message you see 'client ...: update ... denied' comes from
checkqueryacl()'s call:

       } else if (updateacl == NULL && ssutable == NULL) {
                dns_name_format(zonename, namebuf, sizeof(namebuf));
                dns_rdataclass_format(client->view->rdclass, classbuf,

                result = DNS_R_REFUSED;
                ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
                              NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
                              "update '%s/%s' denied", namebuf, classbuf);

So, both updateacl (result of call to dns_zone_getupdateacl(zone) above)
and ssutable are not there.
Comment 1 Kacper 2022-10-13 09:58:45 UTC
I've tested this on Samba 4.16.4 and dynamic update of the primary domain zone works correctly. Removing the ACL of a domain record also correctly gives:

samba_dlz: disallowing update of signer=example-computer\$\@EXAMPLE.TEST name=example-computer.example.test type=AAAA error=insufficient access rights