Bind 9
Kevin Darcy
kcd at daimlerchrysler.com
Sat Mar 27 00:15:18 UTC 2004
jt wrote:
>Hi all,
>--------------------------
>we' re planning to switch from the Win2K - DNS to a BIND9 - based DNS for
>several reasons.
>This makes several questions popping up.....
>
>I know the question sounds dumb, but does this affect the AD operation in
>any way ?
>
>The DDNS feature in Bind9 should enable us to automatically update the DNS
>if required,
>do there exist requirements to have a specific DHCP in use as to get DDNS
>running ?
>
The Win2K clients can be configured to register their names in DNS. You
can configure either your Win2K clients or your DHCP server (Win2K or
otherwise) to register the reverse records for those clients in DNS via
Dynamic Update. HOWEVER, please realize that you have no capability to
do crypto-secure Dynamic Updates between the Win2K environment and the
BIND environment, due to the fact that each environment speaks a version
of crypto that is incompatible with the other. So the most you'd be able
to do to lock things down by Dynamic Update client address, and if you
have Win2K clients all over the place, that's basically no security at all.
The same considerations apply to Active Directory domain controllers and
their desire to write SRV records into DNS zones. Although in that case
you have much fewer numbers of Dynamic Update clients, and so it may be
feasible to lock these down by source address. For that matter, since
the SRV records don't change that often, you could turn off Dynamic
Update altogether and just manually update DNS from the domain
controllers' netlogon.cnf (or whatever it's called) file every time
something changes. Another option is to leave the "underscore"
subdomains, e.g. _msdcs, _tcp, _udp, etc., in MSDNS, delegating them as
subzones from your main zone. Yet another option is to pick some totally
separate domain for your AD stuff.
- Kevin
More information about the bind-users
mailing list