Ombudslistan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Stuart Kwan" <skwan@Exchange.Microsoft.com>
Cc: <dnsop@cafax.se>
From: Harald Tveit Alvestrand <Harald@Alvestrand.no>
Date: Mon, 22 May 2000 09:23:00 +0200
In-Reply-To: <19398D273324D3118A2B0008C7E9A569067DF1D6@SIT.platinum.corp.microsoft.com>
Sender: owner-dnsop@cafax.se
Subject: RE: root server load and dynamic updates.

At 23:45 21.05.2000 -0700, Stuart Kwan wrote:

>At the time Windows 2000 was developed, there was no viable standard for 
>secure dynamic update.

.....

>On the assumption that BIND servers on internal corporate intranets would 
>allow unsecure dynamic updates, and that server admins would probably use 
>the minimal IP address-based access control mechanism in BIND, I decided 
>to make the default first message be an unsecured update attempt.
>
>So Harald - yes, I do have customers that use BIND and unsecured 
>updates.  Of course, nobody runs a DNS server on the Internet in this 
>configuration.  Only on intranets.

Mumble. I see your logic. The problem is that it's impossible for a 
computer to tell whether it's on a DNS-isolated intranet, on a 
firewall-only intranet or on the Internet.
Or, as is becoming more common, connected to the Internet, but with an 
encrypted tunnel into the Intranet; the machine probably has multiple names 
and IP addresses.

>Thinking back now, another choice may be to try GSS-TSIG first by default, 
>and fall back to unsecured updates only if explicitly enabled by client 
>policy.  I'll look into it.  Before I make any change, I need to find out 
>how much of the W2K user base is in fact using BIND and unsecure updates.

the dialog box on the DNS tab of the "advanced" settings in connection, 
flipping the default for "Register this connection address in the DNS" from 
"Yes" to "No"? Yes, I think that would be desirable.
(Yes, I run win2k on this laptop - and enjoy the improvements from WinNT 
networking a LOT!)

Ideally, I'd think of adding a tab to the connection box, with a pulldown with
alternatives:

- Random Internet connection (no DNS update)
- Physically secure Intranet (unsecured DNS update)
- Configured secure DNS (secured DNS update, IF shared secret configured)

with the default for newly created connections being the last one.

Of course, an "Advanced...." box that allows you to select exactly what 
updates to attempt, and what security to use..... that's too complex for 
most of us, I think.

(the only excuse for discussing this in public is to see if those are the 
alternatives that make sense to people here, or if there are more settings 
that are probably needed.)

                          Harald

--
Harald Tveit Alvestrand, EDB Maxware, Norway
Harald.Alvestrand@edb.maxware.no

References:
- RE: root server load and dynamic updates.
  - From: "Stuart Kwan" <skwan@Exchange.Microsoft.com>

Prev by Date: RE: root server load and dynamic updates.
Next by Date: RE: root server load and dynamic updates.
Prev by thread: RE: root server load and dynamic updates.
Next by thread: RE: root server load and dynamic updates.
Index(es):
- Date
- Thread

Home | Date list | Subject list