[dns-operations] DNSSEC on Windows
sfaber at cert.org
Mon Feb 16 14:05:17 UTC 2009
> > Do they speak about TSIG? Or is this something only in MS Windows?
> Of course not! They tunnel DNS TCP over SSL using the certificate
> from the active directory.
Hmmm...do you mean for 2008? In the 2007 DITL traces for AS112, there's lots of clients with a TKEY record (sent over TCP) containing an NTLMSSP key with a workstation name & domain. In fact, all the TKEY records were NTLMSSP.
There's other evidence in the traffic that suggests these are clients attempting a secure update of the reverse zone file, so I'd figured that was how MSWin supported DNS updates only from authenticated clients. I'm pretty sure that's been available as long as Active Directory's been around. But I didn't actually confirm this hypothesis by digging into the MS documentation (shudder).
I might still have the paper lying around somewhere, let me know if you'd like me to dig it up.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations