Win2000 and BIND GSS-TSIG Interoperability?
tmorizot at ccsi.com
Wed Mar 1 14:13:46 UTC 2000
The following is a message from NTBugtraq in response to
an inquiry about Microsoft's support (or lack thereof)
for DNSSEC. I found the reply from an individual at
Microsoft interesting. I recall past discussions
on this list where some at the ISC had indicated that
Microsoft had released insufficient details about
their GSS extensions to TSIG to allow interoperability
for secure dynamic updates to be built into BIND.
And further, that Microsoft had not responded to
inquiries by the ISC on the topic. That's certainly
different from the spin in the reply below.
I was wondering if Microsoft actually is releasing
sufficient detail for interoperability to be added
to BIND or if it's just more smoke and mirrors?
---------- Forwarded message ----------------------------
Date: Mon, 28 Feb 2000 19:03:48 -0800
Reply-To: Stuart Kwan <skwan at EXCHANGE.MICROSOFT.COM>
Sender: Windows NTBugtraq Mailing List
<NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM>
From: Stuart Kwan <skwan at EXCHANGE.MICROSOFT.COM>
Subject: Re: w2000 DNSSEC compliance?
When RFC 2137 "Secure Domain Name System Dynamic Update" was written, it was
based on the then-current DNSSEC spec, RFC 2065 "Domain Name Security
Extensions". RFC 2535, a re-write of DNSSEC based on implementation and
deployment experience, obsoletes RFC 2065. A side-effect of the deprecation
of RFC 2065 is the invalidation of RFC 2137. RFC 2137 is not safe for
Upshot: there is no IETF standard for DNS secure dynamic update.
Two years ago we had to make a call on whether or not we should implement
DNSSEC (RFC 2065) in Windows 2000. DNSSEC - which is a public key
infrastructure unto itself - is very complex. In our judgment, at the time,
it was not ready for implementation and deployment. It followed that RFC
2137 was also not ready for implementation and deployment.
Still, we needed a solution for secure dynamic update. As it happened, the
DNSIND working group in the IETF had already recognized that DNSSEC was not
appropriate in all situations, and that there was a demand for a lightweight
(shared secret) alternative. Two complementary Internet-Drafts were
published to satisfy this requirement: "Secret Key Transaction Authentication
for DNS (TSIG)", and "Secret Key Establishment for DNS (TKEY RR)".
TSIG and TKEY alone do not solve the key distribution problem inherent in any
secret key system. However, both mechanisms allow for extension, which
permitted us to publish a third complementary draft, "GSS Algorithm for TSIG
(GSS-TSIG)". The GSS-API mechanism enables us to use integrated Windows
security to solve the key distribution problem, and ensure our customers will
have no additional key management burden associated with secure update.
The GSS-TSIG draft has been available since November of 1997. Microsoft
would be happy to assist any vendors who wish to develop an independent,
interoperable implementation. We have already demonstrated GSS-API/Kerberos
interoperability between Windows 2000 and other GSS/Kerberos implementations
(see below for more information).
The DNSEXT working group (a consolidation of the DNSIND and DNSSEC working
groups) is currently working on an Internet-Draft to replace RFC 2137. This
draft, called "Simple Secure Domain Name System (DNS) Dynamic Update",
separates the authentication of an update from the later DNSSEC
authentication of the data. The draft acknowledges the TSIG/TKEY method as a
way to authenticate updates. When TSIG, TKEY, GSS-TSIG, and Simple Secure
Dynamic Update reach standard status, there will be an IETF standard for DNS
secure dynamic update.
Microsoft is continuing to evaluate the viability of and demand for
DNSSEC/public key-based security for DNS.
The DNSEXT working group home page:
RFC 2065: http://www.ietf.org/rfc/rfc2065.txt?number=2065
RFC 2137: http://www.ietf.org/rfc/rfc2065.txt?number=2137
RFC 2535: http://www.ietf.org/rfc/rfc2065.txt?number=2535
"Secret Key Transaction Authentication for DNS (TSIG)":
"Secret Key Establishment for DNS (TKEY RR)":
"GSS Algorithm for TSIG (GSS-TSIG)":
White paper on Kerberos interoperability:
Press release on Kerberos interoperability:
"Simple Secure Domain Name System (DNS) Dynamic Update":
From: Dan Stromberg [mailto:strombrg at NIS.ACS.UCI.EDU]
Sent: Thursday, February 24, 2000 10:55 AM
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: w2000 DNSSEC compliance?
It appears that Windows 2000 requires DDNS for active directory. This
is not an entirely unreasonable thing.
It appears that DDNS is not secure without either RFC 2137 (DNSSEC for
DDNS: http://www.isi.edu/in-notes/rfc2137.txt), or microsoft's
now-proprietary version of DNSSEC which was based on a now-orphaned IETF
draft. This is not good.
Naturally, Microsoft, as with any other vendor, should be expected to
implement the RFC. This is what interoperability and good faith are all
about in the computer industry. This has obvious security implications
- if you can't interoperate with the products of other vendors without
weakening security because of microsoft's race to get w2000 to market
(or cavalier attitude toward interoperability?), that's a big problem.
It is in microsoft's power to fix this.
Anyway, has anyone heard any rumors as to Microsoft's plans for
implementing RFC 2137 properly?
For more information, see
This looks like a pretty good paper on the subject, but the paper fails
to acknowledge that one option is to simply not use active directory
until microsoft fully implements RFC 2137.
More information about the bind-users