algorithm defined in the Internet Draft “GSS Algorithm for TSIG (GSS-TSIG).” This algorithm is based on the Generic Security Service Application Program Interface (GSS-API) specified in RFC 2078. It provides security services independently of the underlying security mechanism, and separates the security services into the following processes:

Establishing a security context by passing security tokens.

Once a security context has been established, it has a finite lifetime during which it can be used to create and verify transaction signatures on messages between the two parties.

The sequence of events in the Secure Dynamic Update process is described below.

Find authoritative

Local name server

 

 

 

 

server

 

 

 

 

 

 

 

 

Result

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Client

Find authoritative

 

 

 

 

 

 

server

 

 

 

 

 

 

Result

 

 

 

 

 

 

Attempt non-secure

 

 

 

 

 

 

update

 

 

 

 

 

 

Refused

 

 

 

 

 

 

TKEY negotiation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TKEY negotiation

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

Update with TSIG

 

Reply (Success or

Failure) with TSIG

Server

Active Directory

 

Attempt to Update Active

Directory with LDAP

Reply (Success or

Failure) with LDAP

Windows 2000 White Paper

19

Page 25
Image 25
Microsoft windows 2000 DNS manual Establishing a security context by passing security tokens