2.1.2 Client Security Settings
The DNS RPC client SHOULD use a security support provider (SSP) over RPC as specified in [MS-RPCE], for sessions using TCP as RPC transport protocol. A client SHOULD authenticate using:
RPC_C_AUTHN_GSS_NEGOTIATE
A client using TCP as the RPC transport requests RPC_C_AUTHN_LEVEL_PKT_INTEGRITY authentication with the DNS server.
For negotiating RPC security, the DNS RPC client uses the following parameters:
The client SHOULD<3> request mutual authentication by requesting the RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH capability. The client MAY additionally request the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE capability.
The identity tracking type is set to RPC_C_QOS_IDENTITY_STATIC.
The impersonation type is set to RPC_C_IMP_LEVEL_IMPERSONATE, indicating that the server can impersonate the client; the client MAY instead specify RPC_C_IMP_LEVEL_DELEGATE.<4>