Steven Brown wrote:

>It seems Secure Dynamic Update on Windows clients violates the standard
>in such a way that the only server that can be used is Microsoft's (gee,
>what a surprise). However, I want to do it anyway. What's the best way
>to do this, ideally with only Open Source software? I could script up
>something to run a win32 build of nsupdate periodically but that seems
>rather hacky and a pain to maintain.

I have not looked at the standards documents in this area. I was not
aware that the MS implementation was in violation of the standards,
and I do not know what is in violation of the standards.
I know that the only current implementation is a MS implementation.
What has been mentioned on this list in the past (check the archives):

1) The MS GSS-TSIG algorithm is not yet implemented in BIND.
2) The original MS Draft RFC contained an algorithm that did not match
the MS code.
3) MS has released a document that explains their code.
4) That algorithm is planned (?) for a future release of BIND.
No timetable has been released, as far as I remember.

In my configuration I have one forward zone and five reverse zones,
all under the control of a MS DHCP Server; the zones are mastered on
a MS W2003 DNS Server and slaved on by BIND servers. These zones are
AD-integrated with secure DDNS only.
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet:
Argonne, IL 60439-4828 IBMMAIL: I1004994