Win2000 and BIND GSS-TSIG Interoperability?

Scott Morizot tmorizot at
Wed Mar 1 14:13:46 UTC 2000


The following is a message from NTBugtraq in response to
an inquiry about Microsoft's support (or lack thereof)
for DNSSEC.  I found the reply from an individual at
Microsoft interesting.  I recall past discussions
on this list where some at the ISC had indicated that
Microsoft had released insufficient details about
their GSS extensions to TSIG to allow interoperability
for secure dynamic updates to be built into BIND.
And further, that Microsoft had not responded to
inquiries by the ISC on the topic.  That's certainly
different from the spin in the reply below.

I was wondering if Microsoft actually is releasing
sufficient detail for interoperability to be added
to BIND or if it's just more smoke and mirrors?



---------- Forwarded message ----------------------------

 Date:         Mon, 28 Feb 2000 19:03:48 -0800
 Reply-To:     Stuart Kwan <skwan at EXCHANGE.MICROSOFT.COM>
 Sender:       Windows NTBugtraq Mailing List 
 From:         Stuart Kwan <skwan at EXCHANGE.MICROSOFT.COM>
 Subject:      Re: w2000 DNSSEC compliance?
 Content-Type: text/plain

Hi Dan,  

When RFC 2137 "Secure Domain Name System Dynamic Update" was written, it was 
based on the then-current DNSSEC spec, RFC 2065 "Domain Name Security 
Extensions".  RFC 2535, a re-write of DNSSEC based on implementation and 
deployment experience, obsoletes RFC 2065.  A side-effect of the deprecation 
of RFC 2065 is the invalidation of RFC 2137.  RFC 2137 is not safe for 

Upshot:  there is no IETF standard for DNS secure dynamic update.  

Two years ago we had to make a call on whether or not we should implement 
DNSSEC (RFC 2065) in Windows 2000.  DNSSEC - which is a public key 
infrastructure unto itself - is very complex.  In our judgment, at the time, 
it was not ready for implementation and deployment.  It followed that RFC 
2137 was also not ready for implementation and deployment.  

Still, we needed a solution for secure dynamic update.  As it happened, the 
DNSIND working group in the IETF had already recognized that DNSSEC was not 
appropriate in all situations, and that there was a demand for a lightweight 
(shared secret) alternative.  Two complementary Internet-Drafts were 
published to satisfy this requirement: "Secret Key Transaction Authentication 
for DNS (TSIG)", and "Secret Key Establishment for DNS (TKEY RR)".  

TSIG and TKEY alone do not solve the key distribution problem inherent in any 
secret key system.  However, both mechanisms allow for extension, which 
permitted us to publish a third complementary draft, "GSS Algorithm for TSIG 
(GSS-TSIG)".  The GSS-API mechanism enables us to use integrated Windows 
security to solve the key distribution problem, and ensure our customers will 
have no additional key management burden associated with secure update.  

The GSS-TSIG draft has been available since November of 1997.  Microsoft 
would be happy to assist any vendors who wish to develop an independent, 
interoperable implementation.  We have already demonstrated GSS-API/Kerberos 
interoperability between Windows 2000 and other GSS/Kerberos implementations 
(see below for more information).  

The DNSEXT working group (a consolidation of the DNSIND and DNSSEC working 
groups) is currently working on an Internet-Draft to replace RFC 2137.  This 
draft, called "Simple Secure Domain Name System (DNS) Dynamic Update", 
separates the authentication of an update from the later DNSSEC 
authentication of the data.  The draft acknowledges the TSIG/TKEY method as a 
way to authenticate updates.  When TSIG, TKEY, GSS-TSIG, and Simple Secure 
Dynamic Update reach standard status, there will be an IETF standard for DNS 
secure dynamic update.  

Microsoft is continuing to evaluate the viability of and demand for 
DNSSEC/public key-based security for DNS.  

- Stuart

 The DNSEXT working group home page:
 RFC 2065:
 RFC 2137:
 RFC 2535:
 "Secret Key Transaction Authentication for DNS (TSIG)":
 "Secret Key Establishment for DNS (TKEY RR)":
 "GSS Algorithm for TSIG (GSS-TSIG)":
 White paper on Kerberos interoperability:
 Press release on Kerberos interoperability:
 "Simple Secure Domain Name System (DNS) Dynamic Update":

 -----Original Message-----
 From: Dan Stromberg [mailto:strombrg at NIS.ACS.UCI.EDU]
 Sent: Thursday, February 24, 2000 10:55 AM
 Subject: w2000 DNSSEC compliance?

 It appears that Windows 2000 requires DDNS for active directory.  This
 is not an entirely unreasonable thing.

 It appears that DDNS is not secure without either RFC 2137 (DNSSEC for
 DDNS:, or microsoft's
 now-proprietary version of DNSSEC which was based on a now-orphaned IETF
 draft.  This is not good.

 Naturally, Microsoft, as with any other vendor, should be expected to
 implement the RFC.  This is what interoperability and good faith are all
 about in the computer industry.  This has obvious security implications
 - if you can't interoperate with the products of other vendors without
 weakening security because of microsoft's race to get w2000 to market
 (or cavalier attitude toward interoperability?), that's a big problem.
 It is in microsoft's power to fix this.

 Anyway, has anyone heard any rumors as to Microsoft's plans for
 implementing RFC 2137 properly?

 For more information, see
 This looks like a pretty good paper on the subject, but the paper fails
 to acknowledge that one option is to simply not use active directory
 until microsoft fully implements RFC 2137.

More information about the bind-users mailing list