Secure Dynamic Update with TSIG on Windows clients?

Ralf Durkee rd at
Tue Jun 20 01:29:35 UTC 2006

Steven Brown wrote:
> Ralf Durkee wrote:
>> The recommended solution is to use a TSIG compliant DHCP server on a 
>> Unix/Linux system and have the DHCP server send TSIG signed updates.
> The problem is I'm doing this for roaming clients so I don't always have
> control over what DHCP server provides the address.
You may be stuck since MS signature's not TSIG compatible. It sounds 
like you want to allow dynamic updates to your DNS from sources that you 
don't control, and allow them to updating names to IP addresses of their 
choice.  Sounds like things would be pretty open to allow unwanted 
updates.  You might want to think this through, even if the TSIG 
signature worked, you'd be trusting a lot. At best the validity of the 
updates would be as trustworthy as your least secure laptop, in reality 
I think the value of the names would be even less, since they couldn't 
be trusted to be used for logging or host resolution. 

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Security Consultant

More information about the bind-users mailing list