Windows 2000 Dynamic update
Kevin Darcy
kcd at daimlerchrysler.com
Fri Apr 27 20:31:11 UTC 2001
Jim Reid wrote:
> >>>>> "Donald" == BRANCH DONALD <DBRANCH at ibjus.com> writes:
>
> Donald> Any feelings about bind 9.1.1 being dynamically
> Donald> updated from windows 2000 on a internal DNS.
>
> Just say no. It's not a good idea to use Dynamic DNS with zones
> containing important data because whatever is allowed to send dynamic
> updates can usually change *anything* in the zone. They can add or
> remove MX records, NS records, redirect www.your-domain-name,
> whatever. Unless you use BIND9's update-policy clause, the server has
> no fine-grained control over what dynamic clients change, irrespective
> of whether the requests are authenticated with some key or not.
>
> The plug-and-play semantics from WINS that W2K has introduced makes
> this doubly dangerous. It's bad enough allowing a carefully managed
> "trusted" system to make dynamic updates, but a random W2K box...
> And who knows what they add, replace or remove? Would anyone *really*
> want a typical W2K desktop scribbling all over their zone files?
>
> The best thing to do is delegate the domains that W2K uses for Active
> Directory to some W2K servers and leave them to get on with it. That
> way all the AD stuff and DDNS is kept away from important activity
> like web serving or mail delivery. This also bypasses the thorny
> problem of authentication. The W2K DDNS requests can be authenticated
> by the W2K server using the proprietary GSS-TSIG mechanism which is
> currently known only to Microsoft.
An intermediate solution is to delegate the _tcp.example.com,
_udp.example.com, etc. domains and only open those subzones up for
Dynamic Update by Win2K Domain Controllers (authenticated by IP address).
Sure, it's dangerous, but the worst that can happen is that the AD stuff
gets screwed up; the main domain, e.g. example.com is insulated from
those dangers.
- Kevin
More information about the bind-users
mailing list