[cifs-protocol] [REG:110021555585893] RE: question on DNS TSIG dynamic updates

John Dunning johndun at microsoft.com
Fri Feb 26 14:42:15 MST 2010

Hello Tridge,

Thank you for your questions regarding TSIG DNS update. A future version of the  [MS-ADSO] document  Section 4.1 - System Environment will contain a link to a Windows Behavior to clarify this. The Windows Behavior will read something similar to the following:

RFC 2136 allows dynamic update responses to be formed in two ways. 
1) Respond with the ZOCOUNT, PRCOUNT, UPCOUNT  and ADCOUNT fields and corresponding sections copied from the request.
2) Respond with the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields set to 0 and without copying the corresponding sections from the request.
The Windows DNS server in Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 use Method 1 when formatting dynamic update responses. The Window DNS client in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 of the Windows DNS client expect Method 1 when parsing dynamic update responses and may log an error when parsing dynamic update responses that use Method 2. The Windows DNS client in Windows 7 and Windows Server 2008 R2 will accept either method of formatting dynamic update responses.

Please let me know if this fully answers your questions.

John Dunning
Senior Escalation Engineer Microsoft Corporation US-CSS DSC PROTOCOL TEAM
Email: johndun at microsoft.com

-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org] 
Sent: Monday, February 15, 2010 3:25 PM
To: John Dunning
Cc: Interoperability Documentation Help; cifs-protocol at samba.org; MSSolve Case Email
Subject: [REG:110021555585893] RE: question on DNS TSIG dynamic updates

Hi John,

 >     There was a foul up in communications Friday as you should have
 > been sent a reply that day.

no worries. The initial ack doesn't really matter that much :-)

 > I also received the email regarding your findings and request to
 > update the [MS-GSSA] document. I think what you are looking for is
 > a reference to information indicating that a windows client will
 > only try the signed update if the response from the DNS server for
 > the unsigned request includes fields from the request. Please let
 > me know if I am understanding this correctly. I think that I am but
 > I want to make sure we are on the same page.

yes, assuming that we have correctly diagnosed the problem, then that
is what we'd like. If there are any other conditions for MS clients
doing TSIG-GSS requests then please add those too.

Cheers, Tridge

More information about the cifs-protocol mailing list