Web lists-archives.com

Re: [Samba] Are secure DNS updates truly working?




On 8/29/2017 3:27 PM, George via samba wrote:
Hi team,

I recently upgrade some servers from v4.3.5 (affected by
https://bugzilla.samba.org/show_bug.cgi?id=11520 ) to v4.5.8 (default in
Debian Stretch) and was expecting secure DNS updates to be working again,
but they are not.

My logs show the same issues reported on bug 11520:

[2017/08/29 15:21:01.990467,  2]
../source4/dns_server/dns_update.c:773(dns_server_process_update)
   Got a dns update request.
[2017/08/29 15:21:01.990841,  2]
../source4/dns_server/dns_update.c:730(dns_update_allowed)
   Update not allowed for unsigned packet.
[2017/08/29 15:21:02.001791,  1]
../source4/dns_server/dns_query.c:880(handle_tkey)
   Tkey handshake completed

DNS records are not updated by Win7 clients and a Wireshark capture shows
Samba returns "Refused" to the request (I'm using Samba internal DNS).
Setting "allow dns updates = nonsecure" works fine, as before.

Can anyone confirm that this was indeed fixed? What else could be the
reason for the failures?

Thanks,

George

    I can confirm they work on 4.6.7. I do recall they have worked for several prior versions as well. I can't seem to get PTR records to register though.

The refused request doesn't necessarily mean it's not working. Windows will send an un-secure request first, followed by a secure request if required.


--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba