The Secure Dynamic DNS update client authorisation schemes used by Microsoft and ISC are incompatible.

You've come to this page because you've asked a question similar to the following:
What is the issue regarding secure Dynamic DNS updates and Microsoft's and ISC's softwares ?

This is the Frequently Given Answer to that question.

The client authentication mechanism used by Microsoft's DHCP and DNS softwares and the client authentication mechanism used by ISC's DHCP and DNS softwares, for Secure Dynamic DNS updates, are different and are mutually incompatible.

The client authentication mechanism for Secure Dynamic DNS updates is a "TSIG" resource record set included in the update datagram that the client sends to the server. This resource record set contains as its data a signature cryptographically generated from a combination of the datagram contents and a secret key that the client and server share. The server only performs the update if this signature is valid.

Secure Dynamic DNS updates are possible with Microsoft's DHCP client or DHCP server talking to Microsoft's DNS server, or with ISC's DHCP server talking to ISC's DNS server; but are not possible when one mixes Microsoft and ISC softwares. Each company's softwares are only capable of performing secure dynamic DNS updates with the DNS server softwares from that same company.

Essentially: If one employs Secure Dynamic DNS updates, both companies lock one into their own softwares.


© Copyright 2004–2004 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.