Microsoft clients SECURE DYNAMIC UPDATES

[Kevin Darcy]

Alexander Varga wrote:

>Hello all
>
>I was diging through the whole google world, without a result, so you are the last chance.
>
>My question is: 
>- does Bind support secure dynamic updates from MS clients?
>- does Bind suport GSS_TSIG in dynamic updates?
>
Those are really the same question, aren't they?

Answer: native BIND does not support GSS-TSIG, but at least one 
vendor-enhanced version of BIND does (Lucent QIP's)

>- is the support planned?
>
It's been on the TODO list for a while, I believe.

>- if not, how can I solve the troubles with SECURE cliet updates to my dynamic domain?\
>
What are the "troubles", exactly? Do you really need those clients to 
register themselves *directly*? Either have the DHCP server do the 
registration on the clients' behalf or turn off that function altogether 
with a registry setting.

Another option is to have the clients register themselves in a different 
domain than your regular domain. Then you could have much looser, 
source-address-based Dynamic Update controls for that domain than you do 
for your regular domains, and not worry about important server names 
getting whacked, hijacked, whatever. Note that if and when you implement 
GSS-TSIG for your Dynamic Updates, the *accidental* whacking of 
important server names is still a danger, unless you separate things by 
zone/domain; the only thing GSS-TSIG protects you from is malicious 
activity.

                                                                         
                     - Kevin