Secure Dynamic Update with TSIG on Windows clients?

Barry Finkel b19141 at
Tue Jun 20 13:07:44 UTC 2006

Steven Brown <swbrown at> wrote:

>It seems Secure Dynamic Update on Windows clients violates the standard 
>in such a way that the only server that can be used is Microsoft's (gee, 
>what a surprise).  However, I want to do it anyway.  What's the best way 
>to do this, ideally with only Open Source software?  I could script up 
>something to run a win32 build of nsupdate periodically but that seems 
>rather hacky and a pain to maintain.

I have not looked at the standards documents in this area.  I was not
aware that the MS implementation was in violation of the standards,
and I do not know what is in violation of the standards.
I know that the only current implementation is a MS implementation.
What has been mentioned on this list in the past (check the archives):

1) The MS GSS-TSIG algorithm is not yet implemented in BIND.
2) The original MS Draft RFC contained an algorithm that did not match
   the MS code.
3) MS has released a document that explains their code.
4) That algorithm is planned (?) for a future release of BIND.
   No timetable has been released, as far as I remember.

In my configuration I have one forward zone and five reverse zones,
all under the control of a MS DHCP Server; the zones are mastered on
a MS W2003 DNS Server and slaved on by BIND servers.  These zones are
AD-integrated with secure DDNS only.
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list