Win2000 and BIND GSS-TSIG Interoperability?

David R. Conrad David.Conrad at
Sun Mar 5 09:22:50 UTC 2000


Sorry for the slow reply, I'm on travel right now.

> I recall past discussions
> on this list where some at the ISC had indicated that
> Microsoft had released insufficient details about
> their GSS extensions to TSIG to allow interoperability
> for secure dynamic updates to be built into BIND.

We have been unable to determine whether or not it is possible to implement
Microsoft's GSS-TSIG DNS extension that does not require the use of
Microsoft's version of Kerberos to be a "first class citizen" in Microsoft's
DNS architecture.  From the numerous press reports (e.g.,, it doesn't look
too good.

> And further, that Microsoft had not responded to
> inquiries by the ISC on the topic.  

On May 10, 1999, Stuart sent a note to bind-workers at saying "Microsoft
may be willing
to assist in some capacity".  I responded to that note saying I would
interested in discussing how we could work together.  I do not believe there
was any response (that is, I don't have any record of a response, but it was a
while back and I might have deleted it).  At the Orlando IETF (while Stuart
was kicking my butt in the video games there :-)), we discussed it briefly and
due to miscommunication, I gather Stuart thought we wanted them to pay a very
large amount of money to do the implementation (what I was actually asking for
was for Microsoft to join with other organizations to form a consortium to
sponsor ISC in developing a DNS protocol test suite).  On November 5, 1999
Stuart sent me a note as a result of an article published in "Directions on
Microsoft" discussing the question of securing DNS updates.  In the ensuing
discussion, I asked Stuart the following questions:

 a) Will Microsoft implement TSIG HMAC-MD5 in Windows 2000?
 b) Will Microsoft implement DNSSEC in Windows 2000?
 c) Will Microsoft implement either Secure Update or Simple Secure Update in
    Windows 2000?

which were never answered (I'd note in passing that HMAC-MD5 is the
_mandatory_ TSIG algorithm).  I also stated the following:

    My interest is primarily in seeing the people are able to use dynamic 
    update securely.  GSS-TSIG like TSIG HMAC-MD5 and DNSSEC/{simple,}secure 
    upate are merely tools to that end and I would like to see them all 
    (well, maybe not 2137 :-)) implemented as they all have advantages and 
    disadvantages.  I will reiterate the message I sent to you previously:

        Subject: Re: GSS TSIG in BIND?
        Date: Mon, 10 May 1999 12:45:51 -0700
        From: "David R. Conrad" <drc at>
        Organization: Internet Software Consortium
        To: Stuart Kwan <skwan at>


        > If anyone is interested in adding GSS-TSIG to BIND, Microsoft 
        > may be willing to assist in some capacity.  

        I would be happy to discuss this in more detail if you'd like 
        to get the GSS-TSIG into mainline BIND (v9) code...


    The offer is still open.

In subsequent mail, I offered to go up to Redmond (at my expense) to discuss
how ISC and Microsoft could work together.  Stuart indicated that wouldn't be
necessary and that if we couldn't resolve the issue via e-mail or conference
call that they'd fly me up to Redmond.  I responded that would be fine, but
subsequently there was no communication.

> I was wondering if Microsoft actually is releasing
> sufficient detail for interoperability to be added
> to BIND or if it's just more smoke and mirrors?

It is unknown at this point in time as we have focused on implementing the DNS
related working group standards and drafts.  From what we can tell, the actual
implementation of GSS-TSIG itself shouldn't be that difficult provided you
have a GSS-API implementation lying around.  The big question is whether or
not the non-Microsoft implementations of GSS-API can interoperate with
Microsoft's Kerberos server in doing GSS-TSIG secured dynamic updates. 
ISC is _still_ interested in working with Microsoft and/or anyone else to get
an interoperable implementation of GSS-TSIG into BIND version 9.

Executive Director, ISC

P.S. Feel free to forward to NTBugtraq as I'm not on that list.

More information about the bind-users mailing list