[cifs-protocol] question on DNS TSIG dynamic updates

tridge at samba.org tridge at samba.org
Thu Feb 11 21:29:20 MST 2010

Dear dochelp,

This is with regard to MS-GSSA, and the protocols for kerberized
dynamic DNS updates using TSIG-GSS.

We implemented the client side of this quite a while ago, and now
we're trying to make the server side of it reliable (for when windows
clients register DNS named with a Samba server). We're doing this by
trying to integrate a bit more closely with bind9, which has TSIG

The problem we've hit is a fairly basic one - what are the conditions
under which Windows clients will use a TSIG DNS update?

When we get a Windows w2k8r2 box to join a Samba domain, it does try
and do a dynamic DNS update to add its name, but it doesn't do it
using TSIG. It just sends a plain DNS update. Our current guess is
that perhaps Windows first tries to send a non-TSIG update, and
expects something special about the error return it gets, then based
on that error return it would then do a TSIG based update. Looking at
a Windows DNS server, we notice it sends a more extensive response
when it refuses a non-TSIG update, and we suspect it is something
about this response (perhaps the CNAME pre-requisite?) that triggers
windows to try again with a TSIG update.

Or maybe there is something in the rootDSE or CLDAP responses that
tell a Windows client if the server is capable of TSIG DNS updates?

We're particularly interested in the answer for the following

  1) a normal DNS update when a member of a domain boots

  2) updates of the _msdcs zone when a DC joins a domain (and
  subsequent updates)


Cheers, Tridge

More information about the cifs-protocol mailing list