Secure Dynamic Update with TSIG on Windows clients?

Steven Brown swbrown at
Tue Jun 20 07:04:54 UTC 2006

Ralf Durkee wrote:

> You may be stuck since MS signature's not TSIG compatible.

Getting Windows itself to do it is a lost cause, of course.
I can do it via scripting a call to a win32 build of nsupdate and
wrapping it as a service, but was hoping someone already had built an
equivalent solution that wouldn't be as hacky.

> It sounds like you want to allow dynamic updates to your DNS from
> sources that you don't control, and allow them to updating names to
> IP addresses of their choice.  Sounds like things would be pretty
> open to allow unwanted updates.  You might want to think this
> through, even if the TSIG signature worked, you'd be trusting a lot.

I'm setting it up so that there is a key per subdomain in the dynamic 
zone so a given client has control over A and TXT records of their own 
personal subdomain but nothing else, so it's not open for abuse.  It 
works happily on Linux via dhclient's support for Secure Dynamic update 
(TSIG only).

More information about the bind-users mailing list