From 91975b847ad7a59b4151443eb9f5e3a573c14258 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 May 2016 17:53:36 +0200 Subject: [PATCH] s4/dns_server: disable signing of DNS-TKEY responses DNS packet signing is broken in 4.3 and older. Fixes are available in master and 4.4. Backporting the complete patchset turned out to be too difficult, so we use this hack to get authenticated DDNS updates working again. By simply NOT signing out DNS-TKEY response, the client won't get a broken DNS-TSIG record which caused the client to not start the authenticated DDNS update. DNS RFCs do require signing TKEY responses, but luckily real world clients are forgiving and accept unsigned TKEY responses. This was tested with Windows 7. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- source4/dns_server/dns_query.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index 9e30b71..2795dd2 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -525,7 +525,6 @@ static WERROR handle_tkey(struct dns_server *dns, ret_tkey->rdata.tkey_record.key_data = talloc_memdup(ret_tkey, reply.data, reply.length); - state->sign = true; state->key_name = talloc_strdup(state->mem_ctx, tkey->name); if (state->key_name == NULL) { return WERR_NOMEM; -- 2.5.0