[patch] TSIG-GSS nsupdate and name compression
tridge at samba.org
tridge at samba.org
Wed Feb 17 01:43:53 UTC 2010
Here is another patch for TSIG-GSS support, this time for nsupdate.
Windows DNS servers don't like the TSIG name being
compressed. The code in start_gssrequest() in nsupdate.c already tried
to prevent compression of the TSIG name, but it didn't cover all the
cases.
This patch fixes the other 3 places that need DNS_NAMEATTR_NOCOMPRESS
set.
With this patch I can use nsupdate against a W2K8R2 server
successfully, although nsupdate does complain like this:
; TSIG error with server: tsig verify failure
even though the update was successful. I presume that nsupdate is
mis-calculating the validation signature when it checks the
response. I'll see if I can find a fix for that and will post another
patch if I find it.
Cheers, Tridge
>From d7a5a09d035779fcedbc3f36ff2889c89114b61b Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge at samba.org>
Date: Wed, 17 Feb 2010 12:20:35 +1100
Subject: [PATCH] don't compress TSIG names
windows DNS servers will refuse TSIG-GSS requests with compressed
names
---
bin/nsupdate/nsupdate.c | 4 ++++
lib/dns/message.c | 2 ++
lib/dns/tsig.c | 3 +++
3 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 6cf4cf4..f7ce6db 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -1985,6 +1985,10 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
fprintf(stderr, "Sending update to %s\n", addrbuf);
}
+ /* windows doesn't like the tsig name to be compressed */
+ if (updatemsg->tsigname)
+ updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
master, options, tsigkey, timeout,
udp_timeout, udp_retries, global_task,
diff --git a/lib/dns/message.c b/lib/dns/message.c
index ae4965f..cb4528f 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1531,6 +1531,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
msg->tsig = rdataset;
msg->tsigname = name;
+ /* TSIG names should not be compressed */
+ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
rdataset = NULL;
free_rdataset = ISC_FALSE;
free_name = ISC_FALSE;
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 74a7af3..3223942 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -889,6 +889,9 @@ dns_tsig_sign(dns_message_t *msg) {
msg->tsig = dataset;
msg->tsigname = owner;
+ /* windows does not like the tsig name being compressed */
+ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
return (ISC_R_SUCCESS);
cleanup_rdatalist:
--
1.6.3.3
More information about the bind-workers
mailing list