From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 11 May 2016 15:53:36 +0000 (+0200)
Subject: s4/dns_server: disable signing of DNS-TKEY responses
X-Git-Tag: samba-4.3.12~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5bb81a920b5a2504ea77c7c931d214fb0bfaf76;p=thirdparty%2Fsamba.git

s4/dns_server: disable signing of DNS-TKEY responses

DNS packet signing is broken in 4.3 and older. Fixes are available in
master and 4.4. Backporting the complete patchset turned out to be too
difficult, so we use this hack to get authenticated DDNS updates working
again.

By simply NOT signing out DNS-TKEY response, the client won't get a
broken DNS-TSIG record which caused the client to not start the
authenticated DDNS update.

DNS RFCs do require signing TKEY responses, but luckily real world
clients are forgiving and accept unsigned TKEY responses. This was
tested with Windows 7.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(v4-3-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-3-test): Thu Jun 23 15:35:39 CEST 2016 on sn-devel-104
---

diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 9e30b71d73f..2795dd228ba 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -525,7 +525,6 @@ static WERROR handle_tkey(struct dns_server *dns,
 			ret_tkey->rdata.tkey_record.key_data = talloc_memdup(ret_tkey,
 								reply.data,
 								reply.length);
-			state->sign = true;
 			state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
 			if (state->key_name == NULL) {
 				return WERR_NOMEM;