Win2k DNS/DHCP

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 5 22:02:03 UTC 2000 

As far as I know, Win2K doesn't violate RFC 2136 (Dynamic Update). However,
their security mechanism, although related to TSIG (RFC 2845), is a
"GSS-API" flavor which is not standardized by any RFC (in all fairness,
I should probably mention, however, that there is an Internet Draft
specifying GSS-TSIG). The only TSIG BIND supports is the RFC version, so
Win2K Secure Dynamic Update and BIND Secure Dynamic Update are currently
incompatible.

In practical terms, this incompatibility means:

1) If you care a lot about security, you may end up having to run at least
part of your DNS infrastructure on MS-DNS servers, since those are the only
ones which have a strongly-authenticated security mechanism compatible with
the Win2K clients.

2) It may not be very easy to mix MS-DNS and BIND in the same
infrastructure unless you're willing to move the maintenance of at least
some non-Win2K nodes to MS-DNS and/or to reorganize your namespace around
the split, e.g. have a win2k.foo.com subdomain for all of the Win2K stuff,
which you could delegate to MS-DNS servers. If you intend on maintaining
*reverse* records via Secure Dynamic Update, then a reorganization of this
scale would probably require that you segregate all of the Win2K clients
onto their own /24's, a luxury that most organizations cannot afford.

3) Given how unattractive those options are, many Win2K
implementors/integrators are opting to either disable client registration
completely, or to authenticate the client updates only *weakly*, i.e. by
source address. Note that even if client registration is disabled, the
domain controllers will still expect to be able to write their
*own* information (SRV records, primarily) into DNS via Dynamic Update.
This data can be maintained statically, if desired, but this is a pain,
since a single domain controller can have many DNS records associated with
it, and if the data ever changes, one would need to arrange for a way to
fetch it from the domain controller so that it can be applied to DNS.
Another option, of course, is to just move the entire DNS infrastructure to
MS-DNS...


- Kevin

Steve Koch wrote:

> Any objective opinions about Windows 2000 DNS/DHCP, specifically with
> respect to dynamic dns, security, and the overal adherance to
> standards?  Not looking to start a war over this, it's just that I never
> thought much of NT 4's implementation so I'm wondering if it's gotten
> any better w/ 2k.  Thanks.

More information about the bind-users mailing list