content-type: text/plain; charset="utf-8" Date: Fri, 25 Aug 2017 15:10:46 +1000 Subject: Re: [ISC-Bugs #45854] nsupdate: GSSAPI fails to authenticate against AD in bind 9.11 X-RT-Original-Encoding: utf-8 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.ams1.isc.org Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mx.ams1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 277DDD78AF6 for ; Fri, 25 Aug 2017 05:10:54 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 194D824AE20 for ; Fri, 25 Aug 2017 05:10:43 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 16F7C160052 for ; Fri, 25 Aug 2017 05:10:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 092CA160091 for ; Fri, 25 Aug 2017 05:10:49 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id AsiSrm1rv6nL for ; Fri, 25 Aug 2017 05:10:48 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B4A8D160052 for ; Fri, 25 Aug 2017 05:10:48 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 5301F833ACE0 for ; Fri, 25 Aug 2017 15:10:46 +1000 (AEST) From marka@isc.org Fri Aug 25 05:10:54 2017 X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 References: X-Original-To: bind9-confidential@bugs.isc.org From: "Mark Andrews" Delivered-To: bind9-confidential@bugs.isc.org In-Reply-To: Your message of "Thu, 24 Aug 2017 15:02:38 +0000." To: bind9-confidential@isc.org Message-ID: <20170825051046.5301F833ACE0@rock.dv.isc.org> Return-Path: X-RT-Interface: Email X-RT-Incoming-Encryption: Not encrypted RT-Message-ID: Content-Length: 1004 I suspect this is really a Windows TSIG bug where it doesn't handle compressed TSIG owner names correctly. The change resulted in the workaround for this Windows bug being lost (preventing the TSIG owner name being compressed). The following preserves the DNS_NAMEATTR_NOCOMPRESS attribute when setting case. Mark diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 5b88f20a98..a168588683 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -465,6 +465,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_name_copy(owner_name, name, NULL); dns_rdataset_getownercase(rdataset, name); + if ((owner_name->attributes & DNS_NAMEATTR_NOCOMPRESS) != 0) + name->attributes |= DNS_NAMEATTR_NOCOMPRESS; + do { /* * Copy out the name, type, class, ttl. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org