RE: root server load and dynamic updates.

["Stuart Kwan" <skwan@Exchange.Microsoft.com>]

Title: RE: root server load and dynamic updates.

At the time Windows 2000 was developed, there was no viable standard for secure dynamic update.

* RFC 2137 was on the way out as RFC 2065 was being rewritten
* TSIG did not see first implementation in BIND until recently (I think BIND 8.2.x - I could be wrong on this point, but I cannot get to http://www.isc.org right now)

* There was only one server-side implementation of GSS-TSIG (W2K DNS)

The vast majority of DNS servers are BIND or BIND-based.  There was no GSS-TSIG capability in BIND on the horizon.  It was unreasonable for me to assume that most server operators would switch to W2K DNS, thus I could not make it such that W2K would emit only GSS-TSIG secured updates.

On the assumption that BIND servers on internal corporate intranets would allow unsecure dynamic updates, and that server admins would probably use the minimal IP address-based access control mechanism in BIND, I decided to make the default first message be an unsecured update attempt.

So Harald - yes, I do have customers that use BIND and unsecured updates.  Of course, nobody runs a DNS server on the Internet in this configuration.  Only on intranets.

Thinking back now, another choice may be to try GSS-TSIG first by default, and fall back to unsecured updates only if explicitly enabled by client policy.  I'll look into it.  Before I make any change, I need to find out how much of the W2K user base is in fact using BIND and unsecure updates.

-----Original Message-----
From: Harald Tveit Alvestrand [mailto:Harald@Alvestrand.no]
Sent: Sunday, May 21, 2000 11:16 PM
To: Stuart Kwan; Bruce Campbell
Cc: dnsop@cafax.se
Subject: RE: root server load and dynamic updates.

At 08:46 19.05.2000 -0700, Stuart Kwan wrote:

>- W2K clients will attempt to add both A and PTR RRsets for the configured
>names and addrs of a computer
>- To perform the update, the client finds the enclosing zone of the name
>of the relevant RRset
>- If the enclosing zone is the root zone '.', the client will NOT send the
>update
>- Update requests are directed at the SOA MNAME, per the dynamic update
>protocol
>- We add the "NONE CNAME" conditional when updating a non-CNAME RRset to
>avoid a silent failure when attempting to update a name that already has a
>CNAME RRset (see RFC 2136 section 3.4.2.2)
>
>- The unknown record type query you are seeing is a TKEY query; when a W2K
>client receives REFUSED to an update request, it attempts to negotiate
>security via
><http://www.ietf.org/internet-drafts/draft-skwan-gss-tsig-05.txt>http://www.ietf.org/internet-drafts/draft-skwan-gss-tsig-05.txt

Do I read you as saying that a Win2K client, KNOWING IT HAS NO SHARED
SECRET OR PUBLIC KEY BASED TRUST WITH ANY DNS SERVER IN THE WORLD
WHATSOEVER, will attempt to do those things??????????????

There is only ONE case where it makes sense to do so, and that is the case
where the server will accept updates from any client whatsoever.

The result of configuring DNS servers in such a fashion is that in the
absence of DNS-grokking firewall services, anyone in the world can register
any name or address anywhere they want in zones with this policy, to point
it anywhere they want.
Not something I'd like to encourage.

I find this an "interesting" design decision.

                         Harald

--
Harald Tveit Alvestrand, EDB Maxware, Norway
Harald.Alvestrand@edb.maxware.no