Bind 9
Chris Cox
chris_cox at stercomm.com
Sat Mar 27 00:26:39 UTC 2004
Kevin Darcy wrote:
...snip...
> The Win2K clients can be configured to register their names in DNS. You
> can configure either your Win2K clients or your DHCP server (Win2K or
> otherwise) to register the reverse records for those clients in DNS via
> Dynamic Update. HOWEVER, please realize that you have no capability to
> do crypto-secure Dynamic Updates between the Win2K environment and the
> BIND environment, due to the fact that each environment speaks a version
> of crypto that is incompatible with the other. So the most you'd be able
> to do to lock things down by Dynamic Update client address, and if you
> have Win2K clients all over the place, that's basically no security at all.
Why not use ISC DHCP in a DDNS configuration to do it? Sure, unless you
make a registry change on all of the clients they'll continue to hound
your BIND server, but the server will just say no to them.
I have seen way, way too many problems with our DNS/DHCP servers in W2K3...
now admitedly, some of that is configuration issues... but still...
Just too many issues... too much complexity... too much faith in
multi-mastering which any two-year old can tell you can't work.
Also.. the Samba boys have figured out how to do nsupdates via
GSS-TSIG.. so it's now possible to get this working if you just
a have to have it. I think W2K, W2K3 are mistakes in the industry
as a whole... IMHO... better to migrate to something simpler and
smoother (bet you never thought you'd here that about BIND!).
>
> The same considerations apply to Active Directory domain controllers and
> their desire to write SRV records into DNS zones. Although in that case
> you have much fewer numbers of Dynamic Update clients, and so it may be
> feasible to lock these down by source address. For that matter, since
> the SRV records don't change that often, you could turn off Dynamic
> Update altogether and just manually update DNS from the domain
> controllers' netlogon.cnf (or whatever it's called) file every time
> something changes. Another option is to leave the "underscore"
> subdomains, e.g. _msdcs, _tcp, _udp, etc., in MSDNS, delegating them as
> subzones from your main zone. Yet another option is to pick some totally
> separate domain for your AD stuff.
I would allow the W2K/W2K3 servers to do their updates by IP auth inside
of your named.conf for those zones.
More information about the bind-users
mailing list