Bug 9331 - dns server should use the settings of the dnszone to decide wether or not allow secure updates
dns server should use the settings of the dnszone to decide wether or not all...
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: DNS server
4.0.0rc3
All All
: P5 enhancement
: ---
Assigned To: Kai Blin
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-28 06:55 UTC by Matthieu Patou
Modified: 2013-06-01 08:15 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2012-10-28 06:55:07 UTC
When dealing with AD integrated zone there is a property on each zone that define which kind of update are allowed iE.

dn: DC=w2k3.home.matws.net,CN=MicrosoftDNS,CN=System,DC=w2k3,DC=home,DC=matws,DC=net
dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x00005038 (20536)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_NS_SERVERS_DA (146)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00000040 (64)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x00005048 (20552)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_SCAVENGING_SERVERS (17)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00000000 (0)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000004 (4)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_AGING_ENABLED_TIME (18)
        data                     : union dnsPropertyData(case 18)
        next_scavenging_cycle_hours: 0x00000000 (0)
        name                     : 0x00000000 (0)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000004 (4)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_AGING_STATE (64)
        data                     : union dnsPropertyData(case 64)
        aging_enabled            : 0x00000000 (0)
        name                     : 0x00bde158 (12443992)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x773ecdd3 (2000604627)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_AUTO_NS_SERVERS (130)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00bde578 (12445048)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000001 (1)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_ALLOW_UPDATE (2)
        data                     : union dnsPropertyData(case 2)
        allow_update_flag        : DNS_ZONE_UPDATE_SECURE (2)
        name                     : 0x0000bde0 (48608)
Comment 1 Kai Blin 2013-05-25 10:25:24 UTC
Damn, I was told this wasn't the case when I set up the initial smb.conf options for this. I wonder if we can fix this for 4.1, and how to migrate this.
Comment 2 Andrew Bartlett 2013-05-27 06:07:01 UTC
I think we should just remove the smb.conf option, and use this in-directory data.

Given the default is for secure updates only, this shouldn't expose anyone, and we just mention it in WHATSNEW.

If we must keep the smb.conf option while deprecating it over a release, we change the default to 'directory', so folks who have not changed the option just work.
Comment 3 Kai Blin 2013-05-27 06:15:20 UTC
Sounds good to me. :)