Bind8 Dynamic DNS How-To?

Duster Shawn M DusterShawnM at JohnDeere.com
Wed Jun 14 19:55:06 UTC 2000 

W2K DNS supports something called scavenging/aging, but you need to use
Active Directory Integration to be able to take advantage of it (or let it
take advantage of you).  You can implement MSW2K DNS carrying forward the
idea of primary and secondary DNS servers for zones but scavenging/aging
doesn't work unless you are using AD Integration.  

> -----Original Message-----
> From:	Kevin Darcy [SMTP:kcd at daimlerchrysler.com]
> Sent:	Wednesday, June 14, 2000 2:31 PM
> To:	
> Subject:	Re: Bind8 Dynamic DNS How-To?
> 
> peter at icke-reklam.ipsec.nu wrote:
> 
> > Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> > > Jeff Newton wrote:
> >
> > >>It would seem to me that Win2K boxes aren't the problem here as any
> > >>other client with "permission" to send updates could stomp on any
> > >>DNS entry.
> > >>
> > >>Is stronger-authenticated updates in the works for a future Bind
> > >>release?
> >
> > > As I see it, there are two issues -
> >
> > > 1) Proper authentication of the computer that is sending dynamic DNS
> > >    updates to the SOA master -- Is that computer the real computer at
> > >    that IP address, or has someone on another machine spoofed the IP
> > >    address for the purpose of sending bogus DDNS packets?
> >
> > > 2) The pre-requisite checks that come with the DDNS packets -- With
> > >    improper or incomplete pre-requisite checks, even a properly
> > >    authenticated computer can corrupt a DNS entry via DDNS.  One of
> the
> > >    reasons for my posting yesterday of my Win2k testing was to show
> the
> > >    pre-requisites that MS has built into its Win2k code.  I do not
> agree
> > >    that the MS pre-requisites are 100% correct.  When someone here
> > >    at Argonne sends mail to hostmaster at anl.gov requesting a DNS
> > >    update, the DNS administrators here can check the request for any
> > >    conflicts before we edit the zones.  If we find conflicts, we send
> > >    e-mail back to the requestor asking for clarifications.  With
> > >    DDNS, that manual checking has been converted into the
> pre-requisite
> > >    sections of the DDNS packets.
> >
> > I would like to add a third issue :
> > 3)   for each entry added by dyndns, remembering which host/source that
> made it,
> >      and when that source is decommisioned, remove it's RR's.
> >
> >      This is no easy task, since noone will tell bind whenever a machine
> is
> >      switched off for the last time. Without it debris will accumulate
> in
> >      the database until manually removed.
> >
> > A speculation here, is MS-DNS actually removing these entries when their
> TTL
> > times out ? That would (in a way) solve this dilemma. Comments please!
> >
> 
> Win 2000 DNS has a "scavenging" feature, I believe, which is intended to
> fix this
> problem. But I'm no expert on that product...
> 
> 
> - Kevin
> 
> 
>

More information about the bind-users mailing list