Windows 2000 DNS

Previous Topic Next Topic

Dynamic Update and Secure Dynamic Update

Windows 2000 supports both dynamic update, defined in RFC 2136, and secure dynamic update, defined in the IETF Internet-Draft "GSS Algorithm for TSIG (GSS-TSIG)."

With dynamic update, clients can automatically send updates to the name server that is authoritative for the record they want to change. The authoritative name server then checks to make sure that certain prerequisites have been met. Prerequisites are resource records that must be present or absent before records can be updated. For more information about prerequisites, see "Introduction to DNS" in this book. If the prerequisites have been met, the authoritative name server makes the change. The change can be adding records, deleting records, or modifying records.


note-icon

Note

Both clients and servers can send dynamic updates.

Dynamic update provides the following benefits:

Secure dynamic update works like dynamic update, with the following exception: the authoritative name server accepts updates only from clients and servers that are authorized to make dynamic updates to the dnsZone and dnsNode objects.

Secure dynamic update provides the following benefits:


note-icon

Note

Any primary zone can be configured for dynamic update. However, only Active Directory–integrated zones can be configured for secure dynamic update.

By default, the dynamic update client attempts a dynamic update first, and if it fails, negotiates a secure dynamic update. However, you can also configure it to always attempt insecure dynamic update or to always attempt secure dynamic update by adding the UpdateSecurityLevel registry entry to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\Tcpip\Parameters

The value of UpdateSecurityLevel can be set to the decimal values 0, 16, or 256, which configure security as follows:


caution-icon

Caution

If you disable secure dynamic update, the client is not able to perform updates on zones that have been configured for secure dynamic update.

Also, if you configure a zone to use only secure dynamic update, make sure that the DHCP servers that update records in the zone are not installed on domain controllers. Otherwise, the DHCP server that performs registration of A resource records on behalf of any of its clients can take ownership of names that belong to computers that register their own records.

© 1985-2000 Microsoft Corporation. All rights reserved.