From: william(at)elan.net [mailto:william(_at_)elan(_dot_)net]
On Wed, 22 Nov 2006, Hallam-Baker, Phillip wrote:
Microsoft showed the source code to the MARID group. It simply does
not support saving unknown RR blobs.
Someone in the DNSEXT working group did a test that showed
that if you
violate the administration model of Windows it is possible
to emit the
correct bit strings for new RRs. But that is not a method that any
competent system admin would accept in a production service.
First of competent sysadmin would not run his dns server on
windows (I'll be flamed hard for that statement...)
In the real world a deployment strategy cannot begin 'first everyone moves to
And I note that its somewhat curious that people who frequently make the
argument for diversity in the software gene pool rarely apply it to BIND, this
despite the fact that BIND was a notorious bugpot before Vixie took it over.
second if MS really wanted to they could release code to
support new records in binary (or even specific ones) as part
of their servicepack cycle (they in fact do protocol support
updates for their other products if its something missing and
necessary) and whoever needs to host this RR on their system
with MS DNS server would get this update.
They can only do that if it is classified as a bug rather than a feature. If it
is a feature someone could claim that it was a breach of certain anti-trust
Since you were at MARID you should remember that issue that
thought to be more serious was not MS DNS server but MS Proxy
server which is apparently very proprietary and only works
with MS clients and communicates with them by converting DNS
into RPC calls (or something of the sort - whoever knows more
about this weird thingy can correct me). Unlike DNS the
support the update of this would require changes in both
client and server that are deeper and this proxy server also
seems a lot more in use then actual dns server for hosting
internet domains. Info on updates to this piece of software
to support unknown DNS RR types would be most welcome.
The problem there is even worse because the system is effectively an orphan.
The network architecture it supports is a little different to the multiple
firewall/DMZ scheme that became widespread. Essentially the enterprises that
deployed it were willing to pay a bigger price in terms of functionality in
return for more comprehensive security.
I don't think those enterprises are going to migrate to a commodity
architecture until we start to see a standards based architecture to deal with
deperimeterization. This is going to take some time as we don't yet have an
Ietf mailing list