SRV records in BIND?

Paul Vixie vixie at mibh.net
Thu Jun 17 21:13:51 UTC 1999 

> The Windows 2000 Domain Controllers use standard (as described in RFC 2136)
> dynamic update messages for registration of SRV records.

Quoting RFC 2136:

8 - Security Considerations

   8.1. In the absence of [RFC2137] or equivilent technology, the
   protocol described by this document makes it possible for anyone who
   can reach an authoritative name server to alter the contents of any
   zones on that server.  This is a serious increase in vulnerability
   from the current technology.  Therefore it is very strongly
   recommended that the protocols described in this document not be used
   without [RFC2137] or other equivalently strong security measures,
   e.g. IPsec.

RFC2137 is in my opinion equivilently secure to Win2K's GSS-TSIG, but not
equivilently functional.  BWellington's simple-update proposal, which has
been implemented in BIND 8.2 and relies upon only the standard TSIG updates
(without TKEY or GSS) is equivilently secure *and* equivilently functional.

The difference is in the binding of identities to capabilities.

(The fact that Win2K's GSS-TSIG relies on a nonstandard certificate format
would also be an obstacle to its deployment among non-Microsoft servers.)

>                                                           In addition to
> this, they may use GSS-TSIG UPDATE algorithm to add RRs (not only SRV) to
> the DNS servers that also support GSS-TSIG UPDATE algorithm (e.g. Windows
> 2000 DNS server). I'd like to emphasize that in order to support SRV RRs
> dynamic registration initiated by Windows 2000 Domain Controllers, the DNS
> servers are NOT required to support GSS-TSIG.

And I'd like to emphasize that the IESG was only willing to let RFC2136 go
out after we predeprecated it by adding section 8.1 (quoted above).

> We have tested and confirmed that BIND 8.1.2. provides sufficient support
> for Windows 2000 Active Directory.

That's certainly good news.

> BTW: TSIG-GSS UPDATE method is documented in "GSS Algorithm for TSIG
> (GSS-TSIG)" Internet draft
> (http://search.ietf.org/internet-drafts/draft-skwan-gss-tsig-03.txt).

When the non-Kerberos-compatible certificate format has been as well published,
and when simple-update (TSIG without GSS for update security, with configurable
bindings between key ownership/identity and update capabilities) has been
implemented, and when ADS-style LDAP "multi-master DNS" has been published,
and when Microsoft has participated in interoperability testing of this
stuff...

...then I will quit complaining about this stuff.

> Thanks,
> Levon.

Sorry to shoot at the messenger,

Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vixie.vcf
Type: text/x-vcard
Size: 183 bytes
Desc: Card for Paul Vixie
URL: <https://lists.isc.org/pipermail/bind-users/attachments/19990617/7e83d8ab/attachment.vcf>

More information about the bind-users mailing list