running w/ win2k as master and bind8 as slave (was win2k's dns)

David R. Conrad David_Conrad at isc.org
Thu Sep 2 04:37:37 UTC 1999


Hi,

> Assuming that W2K chooses not to implement DNSSEC
> style secure DDNS, will BIND include support GSS-TSIG in any future
> revision or version (of BIND)?

The question probably isn't so much whether some future version of BIND
will support GSS-TSIG -- the DNS side of GSS-TSIG is relatively straight
forward.  The question is whether or not non-Microsoft implementations
of GSS-TSIG will be able to interoperate with Microsoft's.  The problem
is that for GSS-TSIG implementations to interoperate, you must use the
same GSS-API "security context".  At this point in time, extremely
GSS-API knowledgable people have indicated that Microsoft is using
undocumented proprietary extensions (which are permissible in the
protocol) to implement their GSS-API.  If this is true, it would be
impossible for BIND (or any other non-Microsoft nameserver) to
interoperate regardless of whether the particular nameserver implemented
GSS-TSIG as documented in draft-skwan-gss-tsig-04.txt.  

However, we are still researching the issue and have offered on several
occasions to work with Microsoft to insure BIND interoperates with their
nameserver (although they have not actually responded to the offers). 
Obviously, if it is at all possible, we would very much like to include
the ability to interoperate with Microsoft's nameserver securely despite
the fact that they have chosen not to implement DNSSEC.

Regards,
-drc


More information about the bind-users mailing list