different between DNS NT and DNS UNIX
Kevin Darcy
kcd at daimlerchrysler.com
Fri Aug 3 00:25:41 UTC 2001
viet anh wrote:
> I am studying at dynamic update of DNS.
> All dns for win NT (win 2000) and DNS for UNIX (Bind 9) can implement
> dynamic update.
> I wonder if there is any different between mechanic of DNS for win NT
> and mechanic of BIND 9 (DNS for UNIX) in implement dynamic update.
> Can you explaint for me how DNS for WIn NT implement dynamic update, and
> how BIND9 implement dynamic update and the difference between them
Dynamic Update is defined by a standard: RFC 2136. Apart from some arguable
interpretations of the spec here and there, both Win2K DNS and BIND conform
to this standard.
Where they primarily differ is in how to do *secure* Dynamic Update.
TSIG is defined by RFC 2845, and that's what BIND initially implemented for
securing Dynamic Updates and other DNS transactions. Win2K's DNS, on the
other hand, uses an incompatible variant of TSIG called GSS-TSIG, which is
as yet not published as an RFC. So a BIND server cannot accept secured
updates from a Win2K client or _vice_versa_.
If you turn off secure updates on the Win2K side, and you restrict updates
on the BIND side strictly by address or address range, then it works fine.
We've been running with a pilot in this mode for several months. You just
can't implement *strong* Dynamic Update authentication between Win2K and
BIND presently. I hear that Lucent is working on adding this functionality
to their BIND-based product, QIP.
- Kevin
More information about the bind-users
mailing list