use nsupdate to secure update windows DNS

Dave Clark bind-users at dollardns.net
Sat Dec 3 15:51:25 UTC 2005 

> I am interested to see why nsupdate won't work with "secure update" with
> M$'s server. Is that because it used M$ proprietary authencation method
> prevent the open source implementation or just nobody wants this feature
or
> without M$ support nobody will be able to do it?

BIND/nsupdate supports what is called TSIG authentication for dynamic
update.  Microsoft uses what is called GSS-TSIG authentication for dynamic
update.  Microsoft's implementation does have something to do with LDAP.
There's very few dynamic update clients out there, including nsupdate, and
ipupdate @ sourceforge.net.  And none that I know of that supports GSS-TSIG.
I hear unverified rumors that ISC plans on supporting GSS-TSIG someday.  I'm
the author of ipupdate, and hope to support GSS-TSIG someday.  I searched
around just now, and I believe I found the RFC for GSS-TSIG linked below
FYI.

http://www.ietf.org/rfc/rfc3645.txt

I'm not sure if Microsoft's implementation is completely compatible with the
RFC though.

Dave

----- Original Message ----- 
From: "Jacky Sun" <wyqjnm at gmail.com>
To: <bind-users at isc.org>
Sent: Saturday, December 03, 2005 4:38 AM
Subject: Re: use nsupdate to secure update windows DNS


> On 12/3/05, Kevin Darcy <kcd at daimlerchrysler.com> wrote:
> > >Does anyone know any linux client that can "secure updates" a
> > >AD-integrated windows DNS server?
> > >
> > Well, what exactly are you trying to accomplish here?
>
>
> I just simply want to register my arm-based linux device's IP adress into
> the windows DNS server. I can do this now using nsupdate when the windows
> DNS server's  "allow dynamic update" setting set to yes.  But when it set
to
> "only secure updates", nsupdate won't work.
>
> Lucent's QIP
> > product has the ability to perform Secure Dynamic Updates in the
> > Microsoft flavor, and it runs on Linux, but it wouldn't really be
> > cost-effective, I don't think, to e.g. run  separate instances of QIP on
> > dozens of Linux workstations just so they can register their dynamic IPs
> > in an AD domain.
>
>
> I agree, and I am also not sure if it will suport ARM cpu and how big is
the
> binary, I am very tight on space.
>
> If you're just looking to push some arbitrary
> > information securely into an AD-integrated DNS domain, you might be
> > better off looking at the (Kerberized) LDAP side of things, since (as I
> > understand it, at least) that's the backend information store for AD
> > anyway, with DNS just being "published" from that LDAP data.
>
>
> It seems that is a new area to explore, would you give more specify
> information, for example the project name for the Kerberized LDAP client?
>
> I am interested to see why nsupdate won't work with "secure update" with
> M$'s server. Is that because it used M$ proprietary authencation method
> prevent the open source implementation or just nobody wants this feature
or
> without M$ support nobody will be able to do it?
>
> Thanks for your reply.
>
> --
> Jack
>
>
>

More information about the bind-users mailing list