Secure Dynamic Update with TSIG on Windows clients?

Ralf Durkee rd at
Mon Jun 19 20:19:05 UTC 2006

The recommended solution is to use a TSIG compliant DHCP server on a 
Unix/Linux system and have the DHCP server send TSIG signed updates. also provides an open source DHCP server.  :-) You also should 
limit the updates to a specific sub-domain, so that the ACLs and 
directory permissions can be minimal. There's some security 
configuration recommendations for signed updates in the Center for 
Internet Security BIND 9 benchmark.  See  for 
details.  (I was the editor for the benchmark)   

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Security Consultant

Steven Brown wrote:
> It seems Secure Dynamic Update on Windows clients violates the standard 
> in such a way that the only server that can be used is Microsoft's (gee, 
> what a surprise).  However, I want to do it anyway.  What's the best way 
> to do this, ideally with only Open Source software?  I could script up 
> something to run a win32 build of nsupdate periodically but that seems 
> rather hacky and a pain to maintain.

More information about the bind-users mailing list