Windows 2000 Dynamic update
Jim Reid
jim at rfc1035.com
Thu Apr 26 23:36:41 UTC 2001
>>>>> "Donald" == BRANCH DONALD <DBRANCH at ibjus.com> writes:
Donald> Any feelings about bind 9.1.1 being dynamically
Donald> updated from windows 2000 on a internal DNS.
Just say no. It's not a good idea to use Dynamic DNS with zones
containing important data because whatever is allowed to send dynamic
updates can usually change *anything* in the zone. They can add or
remove MX records, NS records, redirect www.your-domain-name,
whatever. Unless you use BIND9's update-policy clause, the server has
no fine-grained control over what dynamic clients change, irrespective
of whether the requests are authenticated with some key or not.
The plug-and-play semantics from WINS that W2K has introduced makes
this doubly dangerous. It's bad enough allowing a carefully managed
"trusted" system to make dynamic updates, but a random W2K box...
And who knows what they add, replace or remove? Would anyone *really*
want a typical W2K desktop scribbling all over their zone files?
The best thing to do is delegate the domains that W2K uses for Active
Directory to some W2K servers and leave them to get on with it. That
way all the AD stuff and DDNS is kept away from important activity
like web serving or mail delivery. This also bypasses the thorny
problem of authentication. The W2K DDNS requests can be authenticated
by the W2K server using the proprietary GSS-TSIG mechanism which is
currently known only to Microsoft.
More information about the bind-users
mailing list