This is because SP4 turns the regkey off. On all my SP3 DCs, it's "1". When you enable the "Secure Cache Against Pollution" option in pre-SP4, the regekey is automatically created and set. I suspect they change this option in SP4 to address the issue that some people had with the "SecureResponses" regkey. With this key enabled, your DNS servers tends not to look for DNS records through referral. I don't remember where this is documented. See http://support.microsoft.com/?kbid=198409 for info on the missing regkey in SP4 Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Tue 1/27/2004 7:30 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Registry entry Hi, can someone either confirm or set me straight on this one... We have "Secure Cache Against Pollution" enabled on our Win2K SP4 DNS servers. However, our Retina scans were still showing that the servers were vulnerable to that type of compromise. One of the other folks here researched it and found that we first have to create a reg entry in the path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters called SecureResponses. Then make the Value 1. Is that valid (that we need to do that on each DNS server) or did we misunderstand something? Thanks! Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
