The Secure Dynamic DNS update client authorisation schemes used by Microsoft and ISC are incompatible.

You've come to this page because you've asked a question similar to the following:

What is the issue regarding secure Dynamic DNS updates and Microsoft's and ISC's softwares ?

This is the Frequently Given Answer to that question.

The client authentication mechanism used by Microsoft's DHCP and DNS softwares and the client authentication mechanism used by ISC's DHCP and DNS softwares, for Secure Dynamic DNS updates, are different and are mutually incompatible.

The client authentication mechanism for Secure Dynamic DNS updates is a "TSIG" resource record set included in the update datagram that the client sends to the server. This resource record set contains as its data a signature cryptographically generated from a combination of the datagram contents and a secret key that the client and server share. The server only performs the update if this signature is valid.

Microsoft:

Microsoft's DHCP and DNS softwares use GSS TSIG. The shared secret that the DDNS client and server use is automatically negotiated and distributed to client and server using Kerberos, without need for the administrator to explicitly inform either the client or the server what it is.

Microsoft documented GSS TSIG in 1997-11, and in 1998-03 submitted a draft RFC for it to the IETF. It has continued to re-submit it ever since. The IETF has not yet published it as an RFC.
ISC:

ISC's DHCP and DNS softwares use HMAC-MD5 TSIG. The shared secret that the DDNS client and server use is manually supplied to both by an administrator. (It is generated manually by the administrator running ISC's dnskeygen or dnssec-keygen utility, supplied manually to the DNS server by the administrator entering key directives containing it into BIND's named.conf configuration file, and supplied manually to the DNS client by the administrator using the -k option to pass it to ISC's nsupdate utility.)

ISC and Nominum people documented HMAC-MD5 TSIG in 2000-03, submitting it as a draft RFC, which was then published as RFC 2845 two months later in 2000-05.

Secure Dynamic DNS updates are possible with Microsoft's DHCP client or DHCP server talking to Microsoft's DNS server, or with ISC's DHCP server talking to ISC's DNS server; but are not possible when one mixes Microsoft and ISC softwares. Each company's softwares are only capable of performing secure dynamic DNS updates with the DNS server softwares from that same company.

Essentially: If one employs Secure Dynamic DNS updates, both companies lock one into their own softwares.

© Copyright 2004–2004 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.