Win2k DDNS TKEY - Format Error

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon May 22 13:01:09 UTC 2000 

I wrote:
>> I am looking at a sniffer trace from a Windows 2000 Professional
>> (RTM release) machine talking to a BIND 8.2.2-P5 (Solaris 5.6).
>> The Windows 2000 box is sending a TKEY record to DNS, and BIND
>> is responding with response code 1 (Format Error).  Is this something
>> that BIND does not yet support?  I searched the archives for "tsig" or
>> "tkey", but I found no hits (even though I seem to remember this topic
>> being discussed previously).  Here is one of the TKEY packets being
>> sent by W2k to DNS; I have taken the sniffer printout and added my
>> decoding based on the document
>> 
>>      draft-ietf-dnsext-tkey-02.txt
>> 
>> but I cannot insure that my decoding is 100% correct.

And Cricket replied:
>That's the beginning of a GSS-TSIG negotiation, which BIND does
>not support.  You should be able to disable secure dynamic update
>on the Microsoft client and have it send plain vanilla dynamic updates
>instead.

And now I reply:

1) The MS Win2k Professional machine is sending plain vanilla dynamic
   updates.  I cannot tell if it is sending the plain updates before
   or after the TKEY requests.  I will post a summary of my traces soon,
   after I have reviewed them.

2) The DRAFT tkey document above states in Section 2.5 "The Mode Field":

        A server supporting TKEY that receives a TKEY request
        with a mode it does not support returns the BADMODE
        error.

    It also states in Section 2.6 "The Error Field":

        Value  Description
        -----  -----------
          19   BADMODE

        When a TKEY Error Field is non-zero in response to a
        TKEY query, the DNS header RCODE indicates no error.
        However, it is possible if a TKEY is spontaneously
        included in a response the TKEY RR and DNS header 
        error field could have unrelated non-zero error codes.

     My question is this -- Is the "Format Error" (1) return code in the
     DNS header the proper return code for BIND to be setting?  The
     return packet has only a DNS header; all four zone counts are 0.
     So there is no Answer Zone where TKEY error code would be placed.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list