running w/ win2k as master and bind8 as slave (was win2k's dns)

Jim Reid jim at mpn.cp.philips.com
Tue Aug 31 15:57:29 UTC 1999 

>>>>> "steve" == steve rader <rader at teak.wiscnet.net> writes:

    steve> Is there anything about win2k's use of dynmaic updates that
    steve> makes using a win2k primary and a BIND 8 slave Rude and/or
    steve> Evil?

There are two parts to this answer. The first part is that Dynamic DNS
is scary IMHO. There are serious security and scaling problems. The
security problem can be summed up by asking "who/what do you trust to
update the DNS?" and "can I be sure they don't tamper with Something
Important like the zone's MX and NS records or the resource records
for our mission critical web/whatever servers?". Secure Dynamic DNS
just changes this problem: you use strong crypto to authenticate the
thing making the update. But there's still no real control over what
that update changes and then you have the intractable problems of key
management to grapple with. The scaling problem is that each update
bumps the zone's serial number, causing another zone transfer. How
often will the DNS be updated because systems get switched on or off
or rebooted? One site in the net here is using Dynamic DNS and their
local name server causes ~300 zone transfers a day to each of its
off-site slave servers. Sigh.

The second part of the answer concerns the software from Redmond. As a
general rule, this seems to do weird and wonderful things unless it is
very carefully set up. I would be very wary about letting the typical
M$ desktop get write access to the DNS. Given their past history, this
would be asking for trouble: who knows what a W2K box will want to
stick in the DNS and how often will it want to do that? And will that
be documented....?

Since W2K is inevitable and it relies on Dynamic DNS, this is going to
a big problem. The least bad solution I've heard of is delegating a
domain for these systems - say w2k.foo.com - and letting them scribble
whatever they want there, well away from the "really important" stuff
in foo.com. Hopefully this will at least contain the problem. If
anyone has other ideas about how to make W2K and Dynamic DNS co-exist,
I'd be glad to hear them.

More information about the bind-users mailing list