BIND master/MSDNS slave incompatability

[Walt Howard]

We are in the unusual position of forcing our Microsoft Active Directory
(with integrated DNS) controllers to use a Bind server as master for all
their zones.  They send dynamic updates to the Bind server, it sends them
a NOTIFY, and they do a zone transfer to pick up the change they just sent.
It has been working moderately well (IXFR queries are rejected with format
errors; AXFRs work) but with occasional little hiccups.  A long session with
tcpdump revealed that Microsoft DNS sends IXFR and AXFR queries (but
apparently not other types of queries) with "MS" appended to the end of
the query packet.  I guess that qualifies as a format error.

It was pretty clear who was violating RFC1035 here, so I complained to
Microsoft, and was informed that this is a feature, not a bug.  Fortunately
it is a configurable "feature".  There is a registry entry to control this
behavior; it defaults to ON(1) but can be turned off(0).
If you have installed the support tools from the installation CD, try
(on a command line) dnscmd /Config /AppendMsZoneTransferTag 0
If you don't have "dnscmd", this invokation tickles registry entry
[HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\AppendMsZoneTransferTag]
and you can change it to zero using your favorite method.

I don't know how many people run an MS-DNS server as slave to a Bind server,
and I haven't tested which versions of Bind would reject a query because
of the "MS" suffix, so I'm not sure just how much annoying misbehavior
can be solved with this tweak to MS-DNS.  Still, I thought it could make
a useful addition to a Bind-administrator's bag of tricks, so here it is.