s4/dns_server: disable signing of DNS-TKEY responses

DNS packet signing is broken in 4.3 and older. Fixes are available in
master and 4.4. Backporting the complete patchset turned out to be too
difficult, so we use this hack to get authenticated DDNS updates working
again.

By simply NOT signing out DNS-TKEY response, the client won't get a
broken DNS-TSIG record which caused the client to not start the
authenticated DDNS update.

DNS RFCs do require signing TKEY responses, but luckily real world
clients are forgiving and accept unsigned TKEY responses. This was
tested with Windows 7.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(v4-3-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-3-test): Thu Jun 23 15:35:39 CEST 2016 on sn-devel-104

diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 9e30b71d73f488c7499aaee8039432c87275bd27..2795dd228baf70dfe69833bfe619c3388e12c62b 100644 (file)
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -525,7 +525,6 @@ static WERROR handle_tkey(struct dns_server *dns,
                        ret_tkey->rdata.tkey_record.key_data = talloc_memdup(ret_tkey,
                                                                reply.data,
                                                                reply.length);
-                       state->sign = true;
                        state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
                        if (state->key_name == NULL) {
                                return WERR_NOMEM;