To:
"Stuart Kwan" <skwan@Exchange.Microsoft.com>, "Bruce Campbell" <bruce.campbell@apnic.net>
Cc:
<dnsop@cafax.se>
From:
Harald Tveit Alvestrand <Harald@Alvestrand.no>
Date:
Mon, 22 May 2000 08:16:04 +0200
In-Reply-To:
<19398D273324D3118A2B0008C7E9A569067DF1C8@SIT.platinum.corp.microsoft.com>
Sender:
owner-dnsop@cafax.se
Subject:
RE: root server load and dynamic updates.
At 08:46 19.05.2000 -0700, Stuart Kwan wrote:
>- W2K clients will attempt to add both A and PTR RRsets for the configured
>names and addrs of a computer
>- To perform the update, the client finds the enclosing zone of the name
>of the relevant RRset
>- If the enclosing zone is the root zone '.', the client will NOT send the
>update
>- Update requests are directed at the SOA MNAME, per the dynamic update
>protocol
>- We add the "NONE CNAME" conditional when updating a non-CNAME RRset to
>avoid a silent failure when attempting to update a name that already has a
>CNAME RRset (see RFC 2136 section 3.4.2.2)
>
>- The unknown record type query you are seeing is a TKEY query; when a W2K
>client receives REFUSED to an update request, it attempts to negotiate
>security via
><http://www.ietf.org/internet-drafts/draft-skwan-gss-tsig-05.txt>http://www.ietf.org/internet-drafts/draft-skwan-gss-tsig-05.txt
Do I read you as saying that a Win2K client, KNOWING IT HAS NO SHARED
SECRET OR PUBLIC KEY BASED TRUST WITH ANY DNS SERVER IN THE WORLD
WHATSOEVER, will attempt to do those things??????????????
There is only ONE case where it makes sense to do so, and that is the case
where the server will accept updates from any client whatsoever.
The result of configuring DNS servers in such a fashion is that in the
absence of DNS-grokking firewall services, anyone in the world can register
any name or address anywhere they want in zones with this policy, to point
it anywhere they want.
Not something I'd like to encourage.
I find this an "interesting" design decision.
Harald
--
Harald Tveit Alvestrand, EDB Maxware, Norway
Harald.Alvestrand@edb.maxware.no