The New Windows
Matt Larson
matt at acmebw.com
Wed Aug 18 04:19:21 UTC 1999
At 08:10 AM 8/16/99 -0400, Chapman, Matt wrote:
>My employer is moving towards a
>Windows 2000 server deployment and we are part of the beta program. [...]
>Does this mean that the DNS has to run on
>the Windows server or will bind understand this stuff?
Windows 2000 clients and the Windows 2000 DHCP server use standard dynamic
updates secured with GSS-TSIG (described in
ftp://ftp.ietf.org/internet-drafts/draft-skwan-gss-tsig-04.txt). The
default configuration has a client (i.e., an individual workstation)
sending an update to add its A record and a DHCP server sending an update
to add the corresponding PTR record, all secured with GSS-TSIG.
The BIND server does not currently implement GSS-TSIG. But fortunately,
you can configure the Windows 2000 DHCP server to send updates for both A
and PTR records using vanilla dynamic update (no GSS-TSIG). The BIND name
server uses source IP addresses for authentication, but it need only trust
the IP address of the DHCP server and not each Windows 2000
client. Unfortunately, the Windows 2000 DHCP server's use of dynamic
update is less than desirable: it will unceremoniously delete conflicting
address records, allowing a rogue or simply misconfigured client to blow
away an important server's A record by masquerading as the important server.
The upshot is you can make Windows 2000 work with a BIND name
server. Hopefully the DHCP server's behavior will be better in the
released version.
Matt
--
Matt Larson <matt at acmebw.com>
Acme Byte & Wire / http://www.acmebw.com
More information about the bind-users
mailing list