[cifs-protocol] [REG:110021555585893] RE: question on DNS TSIG dynamic updates

John Dunning johndun at microsoft.com
Mon Feb 15 10:00:19 MST 2010

Hello Tridge,
    There was a foul up in communications Friday as you should have been sent a reply that day. Sorry for the confusion. We have received this request and I will be working on this issue. I also received the email regarding your findings and request to update the [MS-GSSA] document. I think what you are looking for is a reference to information indicating that a windows client will only try the signed update if the response from the DNS server for the unsigned request includes fields from the request. Please let me know if I am understanding this correctly. I think that I am but I want to make sure we are on the same page.

John Dunning
Senior Escalation Engineer Microsoft Corporation US-CSS DSC PROTOCOL TEAM
Email: johndun at microsoft.com

-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org] 
Sent: Thursday, February 11, 2010 10:29 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: question on DNS TSIG dynamic updates

Dear dochelp,

This is with regard to MS-GSSA, and the protocols for kerberized
dynamic DNS updates using TSIG-GSS.

We implemented the client side of this quite a while ago, and now
we're trying to make the server side of it reliable (for when windows
clients register DNS named with a Samba server). We're doing this by
trying to integrate a bit more closely with bind9, which has TSIG

The problem we've hit is a fairly basic one - what are the conditions
under which Windows clients will use a TSIG DNS update?

When we get a Windows w2k8r2 box to join a Samba domain, it does try
and do a dynamic DNS update to add its name, but it doesn't do it
using TSIG. It just sends a plain DNS update. Our current guess is
that perhaps Windows first tries to send a non-TSIG update, and
expects something special about the error return it gets, then based
on that error return it would then do a TSIG based update. Looking at
a Windows DNS server, we notice it sends a more extensive response
when it refuses a non-TSIG update, and we suspect it is something
about this response (perhaps the CNAME pre-requisite?) that triggers
windows to try again with a TSIG update.

Or maybe there is something in the rootDSE or CLDAP responses that
tell a Windows client if the server is capable of TSIG DNS updates?

We're particularly interested in the answer for the following

  1) a normal DNS update when a member of a domain boots

  2) updates of the _msdcs zone when a DC joins a domain (and
  subsequent updates)


Cheers, Tridge

More information about the cifs-protocol mailing list