> From: william(at)elan.net [mailto:william@xxxxxxxx] > On Wed, 22 Nov 2006, Hallam-Baker, Phillip wrote: > > > Microsoft showed the source code to the MARID group. It simply does > > not support saving unknown RR blobs. > > > > Someone in the DNSEXT working group did a test that showed > that if you > > violate the administration model of Windows it is possible > to emit the > > correct bit strings for new RRs. But that is not a method that any > > competent system admin would accept in a production service. > > First of competent sysadmin would not run his dns server on > windows (I'll be flamed hard for that statement...) In the real world a deployment strategy cannot begin 'first everyone moves to platform X'. And I note that its somewhat curious that people who frequently make the argument for diversity in the software gene pool rarely apply it to BIND, this despite the fact that BIND was a notorious bugpot before Vixie took it over. > second if MS really wanted to they could release code to > support new records in binary (or even specific ones) as part > of their servicepack cycle (they in fact do protocol support > updates for their other products if its something missing and > necessary) and whoever needs to host this RR on their system > with MS DNS server would get this update. They can only do that if it is classified as a bug rather than a feature. If it is a feature someone could claim that it was a breach of certain anti-trust agreements made. > Since you were at MARID you should remember that issue that > thought to be more serious was not MS DNS server but MS Proxy > server which is apparently very proprietary and only works > with MS clients and communicates with them by converting DNS > into RPC calls (or something of the sort - whoever knows more > about this weird thingy can correct me). Unlike DNS the > support the update of this would require changes in both > client and server that are deeper and this proxy server also > seems a lot more in use then actual dns server for hosting > internet domains. Info on updates to this piece of software > to support unknown DNS RR types would be most welcome. The problem there is even worse because the system is effectively an orphan. The network architecture it supports is a little different to the multiple firewall/DMZ scheme that became widespread. Essentially the enterprises that deployed it were willing to pay a bigger price in terms of functionality in return for more comprehensive security. I don't think those enterprises are going to migrate to a commodity architecture until we start to see a standards based architecture to deal with deperimeterization. This is going to take some time as we don't yet have an agreed architecture. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf