BIND 9.3.0 and AD
Johan Ihrén
johani at autonomica.se
Sun Sep 26 15:58:59 UTC 2004
Hi Alan,
> * Does the new DNSSEC stuff allow for signed and/or encrypted=20
> transfers and
> updates to/from Active Directory DNS? I am currently allowing these
> interactions based on IP address alone, and am reminded in the logs=20
> that
> this is unsafe.
You really want to do TSIG signed zone transfers. This has been working=20=
for years and is not dependent upon the new DNSSEC stuff.
> * Since I have a couple of AD domains I also have a number of=20
> underscore
> characters in a couple of zone data files, and have set check-names to
> ignore. This seems like a shame. Is there a "smaller hammer" I can use=20=
> to
> allow the AD zone data to live in my DNS? For the most part I have=20
> pasted
> the netlogin.dns file into my zone data, but in two cases I am =
actually
> allowing updates from the AD DNS, which is using me as forwarder. It=20=
> would
> be nice to make use of check-names, but the two AD zones that are=20
> sending
> updates are very chatty, and I worry about log volumes and admin=20
> numbness if
> I just log the offending names.
I'm really not the one to comment on AD, but it would seem to me that=20
check-names is the right-size of hammer if the problem is one of log=20
volumes. If the problem is the security of allowing the updates from AD=20=
then check-names would seem to be completely orthogonal to that.
Johan Ihr=E9n
Autonomica
More information about the bind-users
mailing list