RE: root server load and dynamic updates.

[Bruce Campbell <bruce.campbell@apnic.net>]

On Sun, 21 May 2000, Stuart Kwan wrote:

skwan> At the time Windows 2000 was developed, there was no viable standard for
skwan> secure dynamic update.

skwan> On the assumption that BIND servers on internal corporate intranets
skwan> would allow unsecure dynamic updates, and that server admins would
skwan> probably use the minimal IP address-based access control mechanism in
skwan> BIND, I decided to make the default first message be an unsecured update
skwan> attempt.

skwan> So Harald - yes, I do have customers that use BIND and unsecured
skwan> updates.  Of course, nobody runs a DNS server on the Internet in this
skwan> configuration.  Only on intranets.

And we're back to the original question, ie, how is W2K going to be
modified in its next release/service patch so that its update behaviour
doesn't (further) annoy the server operators ?

skwan> Thinking back now, another choice may be to try GSS-TSIG first by
skwan> default, and fall back to unsecured updates only if explicitly enabled
skwan> by client policy.  I'll look into it.  

urm.. suggest watching the TTL fields ala traceroute to work out if the
nameserver that you're going to attempt this to is an 'intranet' server
(when you make the initial queries to find the SOA field).

skwan> Before I make any change, I need to find out how much of the
skwan> W2K user base is in fact using BIND and unsecure updates.

NFI.

A rough guess is that a fair bit is being trapped by intranets/downstream
nameservers, and that we're only seeing updates from the rare ones that
get past upstream filters.  Which is still a largish number.

Regards,

-- 
  Bruce Campbell <bruce.campbell@apnic.net>                +61-7-3367-0490
                      Systems Administrator     Regional Internet Registry
    Asia Pacific Network Information Centre    For the Asia Pacific Region