BIND - how predominant?
David R. Conrad
David_Conrad at isc.org
Fri Sep 10 01:35:50 UTC 1999
Hi,
> Also, speaking of MS-DNS, and Win2K, is there any
> chance that BIND is going to be able to match
> the Win2K signature protocol (I forget what's
> called)?
GSS-TSIG. We are investigating right now whether Microsoft has
published enough information for other organizations to make
interoperable implementations. The problem isn't with implementing
GSS-TSIG (which is relatively straight forward), the problem is that for
it to be useful, you need to have a GSS-API implementation to do the
security voodoo. Microsoft has (according to some particularly
knowledgable people) "extended and enhanced" the Kerberos v5 protocol in
an undocumented fashion for their GSS-API. As such, whether we can
support GSS-TSIG so we can interoperate with Win2k is a bit up in the
air.
As an aside, ISC BIND does support standard TSIG (GSS-TSIG is not an
IETF standard, although they have submitted the protocol as an Internet
draft (albeit not through the DNSEXT working group)) as well as DNSSEC
(which provides a much more scalable public key security model), neither
of which I believe Microsoft has chosen to implement (might be wrong on
TSIG).
Regards,
-drc
Executive Director, ISC
More information about the bind-users
mailing list