To:
Stuart Kwan <skwan@Exchange.Microsoft.com>
cc:
Harald Tveit Alvestrand <Harald@Alvestrand.no>, dnsop@cafax.se
From:
Bruce Campbell <bruce.campbell@apnic.net>
Date:
Mon, 22 May 2000 17:25:08 +1000 (EST)
In-Reply-To:
<19398D273324D3118A2B0008C7E9A569067DF1D6@SIT.platinum.corp.microsoft.com>
Sender:
owner-dnsop@cafax.se
Subject:
RE: root server load and dynamic updates.
On Sun, 21 May 2000, Stuart Kwan wrote: skwan> At the time Windows 2000 was developed, there was no viable standard for skwan> secure dynamic update. skwan> On the assumption that BIND servers on internal corporate intranets skwan> would allow unsecure dynamic updates, and that server admins would skwan> probably use the minimal IP address-based access control mechanism in skwan> BIND, I decided to make the default first message be an unsecured update skwan> attempt. skwan> So Harald - yes, I do have customers that use BIND and unsecured skwan> updates. Of course, nobody runs a DNS server on the Internet in this skwan> configuration. Only on intranets. And we're back to the original question, ie, how is W2K going to be modified in its next release/service patch so that its update behaviour doesn't (further) annoy the server operators ? skwan> Thinking back now, another choice may be to try GSS-TSIG first by skwan> default, and fall back to unsecured updates only if explicitly enabled skwan> by client policy. I'll look into it. urm.. suggest watching the TTL fields ala traceroute to work out if the nameserver that you're going to attempt this to is an 'intranet' server (when you make the initial queries to find the SOA field). skwan> Before I make any change, I need to find out how much of the skwan> W2K user base is in fact using BIND and unsecure updates. NFI. A rough guess is that a fair bit is being trapped by intranets/downstream nameservers, and that we're only seeing updates from the rare ones that get past upstream filters. Which is still a largish number. Regards, -- Bruce Campbell <bruce.campbell@apnic.net> +61-7-3367-0490 Systems Administrator Regional Internet Registry Asia Pacific Network Information Centre For the Asia Pacific Region