From 558fa4c45a87704c57893d61a5431fc8bb51385a Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Wed, 5 Sep 2012 11:07:55 +0200
Subject: [PATCH] s4 dns: Revert erroneous push from wrong branch

I've pushed the wrong branch for this, sorry about that.

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Wed Sep  5 14:10:54 CEST 2012 on sn-devel-104
---
 librpc/idl/dns.idl               |  14 --
 source4/dns_server/dns_crypto.c  | 359 ---------------------------------------
 source4/dns_server/dns_query.c   | 110 ++++++------
 source4/dns_server/dns_server.c  |  23 ---
 source4/dns_server/dns_server.h  |  18 --
 source4/dns_server/dns_update.c  |   7 +-
 source4/dns_server/dns_utils.c   |   2 -
 source4/dns_server/wscript_build |   2 +-
 8 files changed, 60 insertions(+), 475 deletions(-)
 delete mode 100644 source4/dns_server/dns_crypto.c

diff --git a/librpc/idl/dns.idl b/librpc/idl/dns.idl
index 984f2b34a3a..a92c418dc5e 100644
--- a/librpc/idl/dns.idl
+++ b/librpc/idl/dns.idl
@@ -192,20 +192,6 @@ interface dns
 		uint8      other_data[other_size];
 	} dns_tsig_record;
 
-	typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
-		dns_string	name;
-		dns_qclass 	rr_class;
-		uint32     	ttl;
-		dns_string 	algorithm_name;
-		uint16     	time_prefix; /* 0 until February 2106*/
-		uint32     	time;
-		uint16     	fudge;
-		uint16     	original_id;
-		uint16     	error;
-		uint16     	other_size;
-		uint8      	other_data[other_size];
-	} dns_fake_tsig_rec;
-
 	typedef [nodiscriminant,public,flag(NDR_NOALIGN)] union {
 		[case(DNS_QTYPE_A)]     ipv4address	 ipv4_record;
 		[case(DNS_QTYPE_NS)]    dns_string       ns_record;
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
deleted file mode 100644
index 7362adc426b..00000000000
--- a/source4/dns_server/dns_crypto.c
+++ /dev/null
@@ -1,359 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-
-   DNS server handler for signed packets
-
-   Copyright (C) 2012 Kai Blin  <kai@samba.org>
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "lib/crypto/hmacmd5.h"
-#include "system/network.h"
-#include "librpc/ndr/libndr.h"
-#include "librpc/gen_ndr/ndr_dns.h"
-#include "dns_server/dns_server.h"
-#include "libcli/util/ntstatus.h"
-#include "auth/auth.h"
-#include "auth/gensec/gensec.h"
-
-static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
-			    struct dns_res_rec *old,
-			    struct dns_res_rec *new_rec)
-{
-	new_rec->name = talloc_strdup(mem_ctx, old->name);
-	W_ERROR_HAVE_NO_MEMORY(new_rec->name);
-
-	new_rec->rr_type = old->rr_type;
-	new_rec->rr_class = old->rr_class;
-	new_rec->ttl = old->ttl;
-	new_rec->length = old->length;
-	new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
-				old->rdata.tsig_record.algorithm_name);
-	W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
-
-	new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
-	new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
-	new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
-	new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
-	new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
-					old->rdata.tsig_record.mac,
-					old->rdata.tsig_record.mac_size);
-	W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
-
-	new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
-	new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
-	new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
-	new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
-					old->rdata.tsig_record.other_data,
-					old->rdata.tsig_record.other_size);
-	W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
-
-	return WERR_OK;
-}
-
-struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
-				      const char *name)
-{
-	struct dns_server_tkey *tkey = NULL;
-	uint16_t i = 0;
-
-	do {
-		struct dns_server_tkey *tmp_key = store->tkeys[i];
-
-		i++;
-		i %= TKEY_BUFFER_SIZE;
-
-		if (tmp_key == NULL) {
-			continue;
-		}
-		if (dns_name_equal(name, tmp_key->name)) {
-			tkey = tmp_key;
-			break;
-		}
-	} while (i != 0);
-
-	return tkey;
-}
-
-WERROR dns_verify_tsig(struct dns_server *dns,
-		       TALLOC_CTX *mem_ctx,
-		       struct dns_request_state *state,
-		       struct dns_name_packet *packet,
-		       DATA_BLOB *in)
-{
-	WERROR werror;
-	NTSTATUS status;
-	enum ndr_err_code ndr_err;
-	bool found_tsig = false;
-	uint16_t i, arcount = 0;
-	DATA_BLOB tsig_blob, fake_tsig_blob, sig;
-	uint8_t *buffer = NULL;
-	size_t buffer_len = 0, packet_len = 0;
-	struct dns_server_tkey *tkey = NULL;
-	struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
-			struct dns_fake_tsig_rec);
-
-
-	/* Find the first TSIG record in the additional records */
-	for (i=0; i < packet->arcount; i++) {
-		if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
-			found_tsig = true;
-			break;
-		}
-	}
-
-	if (!found_tsig) {
-		return WERR_OK;
-	}
-
-	/* The TSIG record needs to be the last additional record */
-	if (found_tsig && i + 1 != packet->arcount) {
-		DEBUG(0, ("TSIG record not the last additional record!\n"));
-		return DNS_ERR(FORMAT_ERROR);
-	}
-
-	/* We got a TSIG, so we need to sign our reply */
-	state->sign = true;
-
-	state->tsig = talloc_zero(mem_ctx, struct dns_res_rec);
-	if (state->tsig == NULL) {
-		return WERR_NOMEM;
-	}
-
-	werror = dns_copy_tsig(state->tsig, &packet->additional[i],
-			       state->tsig);
-	if (!W_ERROR_IS_OK(werror)) {
-		return werror;
-	}
-
-	packet->arcount--;
-
-	tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
-	if (tkey == NULL) {
-		state->tsig_error = DNS_RCODE_BADKEY;
-		return DNS_ERR(NOTAUTH);
-	}
-
-	/* FIXME: check TSIG here */
-	if (check_rec == NULL) {
-		return WERR_NOMEM;
-	}
-
-	/* first build and verify check packet */
-	check_rec->name = talloc_strdup(check_rec, tkey->name);
-	if (check_rec->name == NULL) {
-		return WERR_NOMEM;
-	}
-	check_rec->rr_class = DNS_QCLASS_ANY;
-	check_rec->ttl = 0;
-	check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
-	if (check_rec->algorithm_name == NULL) {
-		return WERR_NOMEM;
-	}
-	check_rec->time_prefix = 0;
-	check_rec->time = state->tsig->rdata.tsig_record.time;
-	check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
-	check_rec->error = 0;
-	check_rec->other_size = 0;
-	check_rec->other_data = NULL;
-
-	ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
-		(ndr_push_flags_fn_t)ndr_push_dns_res_rec);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(1, ("Failed to push packet: %s!\n",
-			  ndr_errstr(ndr_err)));
-		return DNS_ERR(SERVER_FAILURE);
-	}
-
-	ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
-		(ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(1, ("Failed to push packet: %s!\n",
-			  ndr_errstr(ndr_err)));
-		return DNS_ERR(SERVER_FAILURE);
-	}
-
-	/* we need to work some magic here. we need to keep the input packet
-	 * exactly like we got it, but we need to cut off the tsig record */
-	packet_len = in->length - tsig_blob.length;
-	buffer_len = packet_len + fake_tsig_blob.length;
-	buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
-	if (buffer == NULL) {
-		return WERR_NOMEM;
-	}
-
-	memcpy(buffer, in->data, packet_len);
-	memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
-
-	sig.length = state->tsig->rdata.tsig_record.mac_size;
-	sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
-	if (sig.data == NULL) {
-		return WERR_NOMEM;
-	}
-
-	/*FIXME: Why is there too much padding? */
-	buffer_len -= 2;
-
-	/* Now we also need to count down the additional record counter */
-	arcount = RSVAL(buffer, 10);
-	RSSVAL(buffer, 10, arcount-1);
-
-	status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
-				    buffer, buffer_len, &sig);
-	if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
-		return DNS_ERR(BADKEY);
-	}
-
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("Verifying tsig failed: %s\n", nt_errstr(status)));
-		return ntstatus_to_werror(status);
-	}
-
-	state->authenticated = true;
-	state->key_name = talloc_strdup(mem_ctx, tkey->name);
-	if (state->key_name == NULL) {
-		return WERR_NOMEM;
-	}
-
-	return WERR_OK;
-}
-
-WERROR dns_sign_tsig(struct dns_server *dns,
-		     TALLOC_CTX *mem_ctx,
-		     struct dns_request_state *state,
-		     struct dns_name_packet *packet,
-		     uint16_t error)
-{
-	WERROR werror;
-	NTSTATUS status;
-	enum ndr_err_code ndr_err;
-	time_t current_time = time(NULL);
-	DATA_BLOB packet_blob, tsig_blob, sig;
-	uint8_t *buffer = NULL;
-	size_t buffer_len = 0;
-	struct dns_server_tkey * tkey = NULL;
-	struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec);
-
-	struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
-			struct dns_fake_tsig_rec);
-
-	if (tsig == NULL) {
-		return WERR_NOMEM;
-	}
-
-	if (check_rec == NULL) {
-		return WERR_NOMEM;
-	}
-
-	tkey = dns_find_tkey(dns->tkeys, state->key_name);
-	if (tkey == NULL) {
-		/* FIXME: read up on what to do when we can't find a key */
-		return WERR_OK;
-	}
-
-	/* first build and verify check packet */
-	check_rec->name = talloc_strdup(check_rec, tkey->name);
-	if (check_rec->name == NULL) {
-		return WERR_NOMEM;
-	}
-	check_rec->rr_class = DNS_QCLASS_ANY;
-	check_rec->ttl = 0;
-	check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
-	if (check_rec->algorithm_name == NULL) {
-		return WERR_NOMEM;
-	}
-	check_rec->time_prefix = 0;
-	check_rec->time = current_time;
-	check_rec->fudge = 300;
-	check_rec->error = state->tsig_error;
-	check_rec->other_size = 0;
-	check_rec->other_data = NULL;
-
-	ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
-		(ndr_push_flags_fn_t)ndr_push_dns_name_packet);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(1, ("Failed to push packet: %s!\n",
-			  ndr_errstr(ndr_err)));
-		return DNS_ERR(SERVER_FAILURE);
-	}
-
-	ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
-		(ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(1, ("Failed to push packet: %s!\n",
-			  ndr_errstr(ndr_err)));
-		return DNS_ERR(SERVER_FAILURE);
-	}
-
-	buffer_len = packet_blob.length + tsig_blob.length;
-	buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
-	if (buffer == NULL) {
-		return WERR_NOMEM;
-	}
-
-	memcpy(buffer, packet_blob.data, packet_blob.length);
-	memcpy(buffer+packet_blob.length, tsig_blob.data, tsig_blob.length);
-
-
-	status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
-				    buffer, buffer_len, &sig);
-	if (!NT_STATUS_IS_OK(status)) {
-		return ntstatus_to_werror(status);
-	}
-
-	tsig->name = talloc_strdup(tsig, check_rec->name);
-	if (tsig->name == NULL) {
-		return WERR_NOMEM;
-	}
-	tsig->rr_class = check_rec->rr_class;
-	tsig->rr_type = DNS_QTYPE_TSIG;
-	tsig->ttl = 0;
-	tsig->length = UINT16_MAX;
-	tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig,
-			check_rec->algorithm_name);
-	tsig->rdata.tsig_record.time_prefix = check_rec->time_prefix;
-	tsig->rdata.tsig_record.time = check_rec->time;
-	tsig->rdata.tsig_record.fudge = check_rec->fudge;
-	tsig->rdata.tsig_record.error = state->tsig_error;
-	tsig->rdata.tsig_record.original_id = packet->id;
-	tsig->rdata.tsig_record.other_size = 0;
-	tsig->rdata.tsig_record.other_data = NULL;
-	tsig->rdata.tsig_record.mac_size = sig.length;
-	tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
-
-
-	if (packet->arcount == 0) {
-		packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
-		if (packet->additional == NULL) {
-			return WERR_NOMEM;
-		}
-	}
-	packet->additional = talloc_realloc(mem_ctx, packet->additional,
-					    struct dns_res_rec,
-					    packet->arcount + 1);
-	if (packet->additional == NULL) {
-		return WERR_NOMEM;
-	}
-
-	werror = dns_copy_tsig(mem_ctx, tsig,
-			       &packet->additional[packet->arcount]);
-	if (!W_ERROR_IS_OK(werror)) {
-		return werror;
-	}
-	packet->arcount++;
-
-	return WERR_OK;
-}
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 98ebc63d97f..530b7b22bd5 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -320,9 +320,62 @@ static WERROR handle_question(struct dns_server *dns,
 	return WERR_OK;
 }
 
+static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx,
+				  struct dns_server *dns,
+				  struct dns_server_tkey *tkey,
+				  const DATA_BLOB *key,
+				  DATA_BLOB *reply,
+				  uint16_t *dns_auth_error)
+{
+	NTSTATUS status;
+
+	status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx,
+			       *key, reply);
+
+	if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
+		*dns_auth_error = DNS_RCODE_OK;
+		return status;
+	}
+
+	if (NT_STATUS_IS_OK(status)) {
+
+		status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info);
+		if (!NT_STATUS_IS_OK(status)) {
+			*dns_auth_error = DNS_RCODE_BADKEY;
+			return status;
+		}
+		*dns_auth_error = DNS_RCODE_OK;
+	}
+
+	return status;
+}
+
+static struct dns_server_tkey *find_tkey(struct dns_server_tkey_store *store,
+					 const char *name)
+{
+	struct dns_server_tkey *tkey = NULL;
+	uint16_t i = 0;
+
+	do {
+		struct dns_server_tkey *tmp_key = store->tkeys[i];
+
+		i++;
+		i %= TKEY_BUFFER_SIZE;
+
+		if (tmp_key == NULL) {
+			continue;
+		}
+		if (dns_name_equal(name, tmp_key->name)) {
+			tkey = tmp_key;
+			break;
+		}
+	} while (i != 0);
+
+	return tkey;
+}
+
 static NTSTATUS create_tkey(struct dns_server *dns,
 			    const char* name,
-			    const char* algorithm,
 			    struct dns_server_tkey **tkey)
 {
 	NTSTATUS status;
@@ -339,11 +392,6 @@ static NTSTATUS create_tkey(struct dns_server *dns,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	k->algorithm = talloc_strdup(k, algorithm);
-	if (k->algorithm == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	status = samba_server_gensec_start(k,
 					   dns->task->event_ctx,
 					   dns->task->msg_ctx,
@@ -380,40 +428,9 @@ static NTSTATUS create_tkey(struct dns_server *dns,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx,
-				  struct dns_server *dns,
-				  struct dns_server_tkey *tkey,
-				  const DATA_BLOB *key,
-				  DATA_BLOB *reply,
-				  uint16_t *dns_auth_error)
-{
-	NTSTATUS status;
-
-	status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx,
-			       *key, reply);
-
-	if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
-		*dns_auth_error = DNS_RCODE_OK;
-		return status;
-	}
-
-	if (NT_STATUS_IS_OK(status)) {
-
-		status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info);
-		if (!NT_STATUS_IS_OK(status)) {
-			*dns_auth_error = DNS_RCODE_BADKEY;
-			return status;
-		}
-		*dns_auth_error = DNS_RCODE_OK;
-	}
-
-	return status;
-}
-
 static WERROR handle_tkey(struct dns_server *dns,
                           TALLOC_CTX *mem_ctx,
                           const struct dns_name_packet *in,
-			  struct dns_request_state *state,
                           struct dns_res_rec **answers,
                           uint16_t *ancount)
 {
@@ -449,8 +466,7 @@ static WERROR handle_tkey(struct dns_server *dns,
 	ret_tkey->rr_class = DNS_QCLASS_ANY;
 	ret_tkey->length = UINT16_MAX;
 
-	ret_tkey->rdata.tkey_record.algorithm = talloc_strdup(ret_tkey,
-			in_tkey->rdata.tkey_record.algorithm);
+	ret_tkey->rdata.tkey_record.algorithm = talloc_strdup(ret_tkey, ret_tkey->name);
 	if (ret_tkey->rdata.tkey_record.algorithm  == NULL) {
 		return WERR_NOMEM;
 	}
@@ -471,7 +487,7 @@ static WERROR handle_tkey(struct dns_server *dns,
 		DATA_BLOB key;
 		DATA_BLOB reply;
 
-		tkey = dns_find_tkey(dns->tkeys, in->questions[0].name);
+		tkey = find_tkey(dns->tkeys, in->questions[0].name);
 		if (tkey != NULL && tkey->complete) {
 			/* TODO: check if the key is still valid */
 			DEBUG(1, ("Rejecting tkey negotiation for already established key\n"));
@@ -481,7 +497,6 @@ static WERROR handle_tkey(struct dns_server *dns,
 
 		if (tkey == NULL) {
 			status  = create_tkey(dns, in->questions[0].name,
-					      in_tkey->rdata.tkey_record.algorithm,
 					      &tkey);
 			if (!NT_STATUS_IS_OK(status)) {
 				ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY;
@@ -499,15 +514,6 @@ static WERROR handle_tkey(struct dns_server *dns,
 			ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY;
 		} else if (NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("Tkey handshake completed\n"));
-			ret_tkey->rdata.tkey_record.key_size = reply.length;
-			ret_tkey->rdata.tkey_record.key_data = talloc_memdup(ret_tkey,
-								reply.data,
-								reply.length);
-			state->sign = true;
-			state->key_name = talloc_strdup(mem_ctx, tkey->name);
-			if (state->key_name == NULL) {
-				return WERR_NOMEM;
-			}
 		} else {
 			DEBUG(0, ("GSS key negotiation returned %s\n", nt_errstr(status)));
 			ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY;
@@ -576,8 +582,8 @@ struct tevent_req *dns_server_process_query_send(
 	if (in->questions[0].question_type == DNS_QTYPE_TKEY) {
                 WERROR err;
 
-		err = handle_tkey(dns, state, in, req_state,
-				  &state->answers, &state->ancount);
+		err = handle_tkey(dns, state, in, &state->answers,
+				  &state->ancount);
 		if (tevent_req_werror(req, err)) {
 			return tevent_req_post(req, ev);
 		}
diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index c5f516dd201..887fc8ee1d6 100644
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -98,7 +98,6 @@ static void dns_tcp_send(struct stream_connection *conn, uint16_t flags)
 
 struct dns_process_state {
 	DATA_BLOB *in;
-	struct dns_server *dns;
 	struct dns_name_packet in_packet;
 	struct dns_request_state state;
 	uint16_t dns_err;
@@ -124,8 +123,6 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
 	}
 	state->in = in;
 
-	state->dns = dns;
-
 	if (in->length < 12) {
 		tevent_req_werror(req, WERR_INVALID_PARAM);
 		return tevent_req_post(req, ev);
@@ -145,14 +142,6 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
 		NDR_PRINT_DEBUG(dns_name_packet, &state->in_packet);
 	}
 
-	ret = dns_verify_tsig(dns, state, &state->state, &state->in_packet, in);
-	if (!W_ERROR_IS_OK(ret)) {
-		DEBUG(0, ("Bailing out early!\n"));
-		state->dns_err = werr_to_dns_err(ret);
-		tevent_req_done(req);
-		return tevent_req_post(req, ev);
-	}
-
 	state->state.flags = state->in_packet.operation;
 	state->state.flags |= DNS_FLAG_REPLY;
 
@@ -226,18 +215,6 @@ static WERROR dns_process_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
 	}
 	state->out_packet.operation |= state->state.flags;
 
-	if (state->state.sign) {
-		DEBUG(0, ("Signing\n"));
-		ret = dns_sign_tsig(state->dns, mem_ctx, &state->state,
-				    &state->out_packet, 0);
-		if (!W_ERROR_IS_OK(ret)) {
-			state->dns_err = DNS_RCODE_SERVFAIL;
-			goto drop;
-		}
-	}
-
-	//NDR_PRINT_DEBUG(dns_name_packet, &state->out_packet);
-
 	ndr_err = ndr_push_struct_blob(
 		out, mem_ctx, &state->out_packet,
 		(ndr_push_flags_fn_t)ndr_push_dns_name_packet);
diff --git a/source4/dns_server/dns_server.h b/source4/dns_server/dns_server.h
index ef85730ff83..42ae0ba660c 100644
--- a/source4/dns_server/dns_server.h
+++ b/source4/dns_server/dns_server.h
@@ -36,7 +36,6 @@ struct dns_server_zone {
 struct dns_server_tkey {
 	const char *name;
 	enum dns_tkey_mode mode;
-	const char *algorithm;
 	struct auth_session_info *session_info;
 	struct gensec_security *gensec;
 	bool complete;
@@ -60,11 +59,6 @@ struct dns_server {
 
 struct dns_request_state {
 	uint16_t flags;
-	bool authenticated;
-	bool sign;
-	char *key_name;
-	struct dns_res_rec *tsig;
-	uint16_t tsig_error;
 };
 
 struct tevent_req *dns_server_process_query_send(
@@ -107,18 +101,6 @@ WERROR dns_name2dn(struct dns_server *dns,
 		   TALLOC_CTX *mem_ctx,
 		   const char *name,
 		   struct ldb_dn **_dn);
-struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
-				      const char *name);
-WERROR dns_verify_tsig(struct dns_server *dns,
-		       TALLOC_CTX *mem_ctx,
-		       struct dns_request_state *state,
-		       struct dns_name_packet *packet,
-		       DATA_BLOB *in);
-WERROR dns_sign_tsig(struct dns_server *dns,
-		     TALLOC_CTX *mem_ctx,
-		     struct dns_request_state *state,
-		     struct dns_name_packet *packet,
-		     uint16_t error);
 
 #define DNS_ERR(err_str) WERR_DNS_ERROR_RCODE_##err_str
 #endif /* __DNS_SERVER_H__ */
diff --git a/source4/dns_server/dns_update.c b/source4/dns_server/dns_update.c
index 61850a10564..e7514acace0 100644
--- a/source4/dns_server/dns_update.c
+++ b/source4/dns_server/dns_update.c
@@ -734,15 +734,10 @@ WERROR dns_server_process_update(struct dns_server *dns,
 	/* TODO: Check if update is allowed, we probably want "always",
 	 * key-based GSSAPI, key-based bind-style TSIG and "never" as
 	 * smb.conf options. */
-	if (lpcfg_allow_dns_updates(dns->task->lp_ctx) == DNS_UPDATE_OFF) {
+	if (lpcfg_allow_dns_updates(dns->task->lp_ctx) != DNS_UPDATE_ON) {
 		DEBUG(0, ("Update not allowed.\n"));
 		return DNS_ERR(REFUSED);
 	}
-	if (lpcfg_allow_dns_updates(dns->task->lp_ctx) == DNS_UPDATE_SIGNED &&
-	    state->authenticated == false ) {
-		DEBUG(0, ("Update not allowed for unsigned packet.\n"));
-		return DNS_ERR(REFUSED);
-	}
 
 	*update_count = in->nscount;
 	*updates = in->nsrecs;
diff --git a/source4/dns_server/dns_utils.c b/source4/dns_server/dns_utils.c
index 11ded682048..7d95bdd1518 100644
--- a/source4/dns_server/dns_utils.c
+++ b/source4/dns_server/dns_utils.c
@@ -54,8 +54,6 @@ uint8_t werr_to_dns_err(WERROR werr)
 		return DNS_RCODE_NOTAUTH;
 	} else if (W_ERROR_EQUAL(DNS_ERR(NOTZONE), werr)) {
 		return DNS_RCODE_NOTZONE;
-	} else if (W_ERROR_EQUAL(DNS_ERR(BADKEY), werr)) {
-		return DNS_RCODE_BADKEY;
 	}
 	DEBUG(5, ("No mapping exists for %s\n", win_errstr(werr)));
 	return DNS_RCODE_SERVFAIL;
diff --git a/source4/dns_server/wscript_build b/source4/dns_server/wscript_build
index 6989f2567b5..8cb23ee938e 100644
--- a/source4/dns_server/wscript_build
+++ b/source4/dns_server/wscript_build
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 bld.SAMBA_MODULE('service_dns',
-        source='dns_server.c dns_query.c dns_update.c dns_utils.c dns_crypto.c',
+        source='dns_server.c dns_query.c dns_update.c dns_utils.c',
         subsystem='service',
         init_function='server_service_dns_init',
         deps='samba-hostconfig LIBTSOCKET LIBSAMBA_TSOCKET ldbsamba clidns gensec auth',
-- 
2.11.4.GIT