samba.git/source4/dns_server, branch master Unnamed repository; edit this file 'description' to name the repository. s4/dns_server: truncate large dns packets over udp and set truncated flag 2026-04-01T05:08:14+00:00 Andréas Leroux aleroux@tranquil.it 2026-02-13T08:25:55+00:00 cc07c37fca2d6431e702a8073958742095761a2d Large DNS response must be truncated over UDP, letting client retry over TCP. Current threshold is set to 1232 as it is regarded as a safe size. Truncated packets have no answers nor record, only the packet header and initial question(s). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15988 Signed-off-by: Andréas Leroux <aleroux@tranquil.it> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Jennifer Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Apr 1 05:08:14 UTC 2026 on atb-devel-224 
Large DNS response must be truncated over UDP, letting client retry over TCP. Current threshold is set to 1232 as it is regarded as a safe size.
Truncated packets have no answers nor record, only the packet header and initial question(s).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15988

Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Apr  1 05:08:14 UTC 2026 on atb-devel-224
Fix crash in DLZ plugin for incorrect setup 2025-09-20T06:49:37+00:00 Alexander Bokovoy ab@samba.org 2025-09-19T13:23:41+00:00 821cf798d87162b1f3b5d7388891d15fea0a969a When bind is not yet setup properly, logging errors should be done through the temporary handle. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15920 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Sat Sep 20 06:49:37 UTC 2025 on atb-devel-224 
When bind is not yet setup properly, logging errors should be done
through the temporary handle.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15920

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sat Sep 20 06:49:37 UTC 2025 on atb-devel-224
s4/dns/dlz: log when falling back to obsolete dns ldb path 2025-03-29T18:05:29+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-01-20T00:07:43+00:00 3c53430eed4fb7f1b5975908495c03947065749b Prior to 4.8 or so, the dlz dns files were kept in samba/private, but sharing those files is a bit less than private so a new bind-dns directory was added. As part of that patch set efforts were made to fallback gracefully to the old locations. But now that silent grace is causing confusion; the time has come to fallback resentfully. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15288 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org> 
Prior to 4.8 or so, the dlz dns files were kept in samba/private, but
sharing those files is a bit less than private so a new bind-dns
directory was added. As part of that patch set efforts were made to
fallback gracefully to the old locations. But now that silent grace is
causing confusion; the time has come to fallback resentfully.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15288

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored 2024-06-06T03:18:16+00:00 Stefan Metzmacher metze@samba.org 2024-05-30T12:52:22+00:00 ed61c57e02309b738e73fb12877a0a565b627724 If the client does not have permissions to update the record, but the record already has the data the update tries to apply, it's a no-op that should result in success instead of failing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224 
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224
s4:dns_server: correctly sign dns update responses with gss-tsig like Windows 2024-06-06T02:13:33+00:00 Stefan Metzmacher metze@samba.org 2024-05-30T12:39:28+00:00 76fec2668e73b9d15447abee551d5c04148aaf27 This means we no longer generate strange errors/warnings in the Windows event log nor in the nsupdate -g output. Note: this is a only difference between gss-tsig and the legacy gss.microsoft.com algorithms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dns_server: dns_verify_tsig should return REFUSED on error 2024-06-06T02:13:33+00:00 Stefan Metzmacher metze@samba.org 2024-05-30T12:42:53+00:00 db350bc573b378fb0615bdd8592cc9c62f6db146 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section 2024-06-06T02:13:33+00:00 Stefan Metzmacher metze@samba.org 2024-05-30T12:41:21+00:00 5906ed94f2c5c68e83c63e7c201534eeb323cfe7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dns_server: use tkey->algorithm if available in dns_sign_tsig() 2024-06-06T02:13:33+00:00 Stefan Metzmacher metze@samba.org 2024-05-31T06:38:24+00:00 ae7538af04435658d2ba6dcab109beecb6c5f13e BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dns_server: use the client provided algorithm for the fake TSIG structure 2024-06-06T02:13:33+00:00 Stefan Metzmacher metze@samba.org 2024-05-31T06:38:24+00:00 bd0235cd515d5602ed9501bfc810a2487364ea10 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG 2024-06-06T02:13:33+00:00 Stefan Metzmacher metze@samba.org 2024-05-31T06:38:24+00:00 3467d1491490830d61d16cb6278051daf48466fc BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>