MS dynamic DNS supports static and dynamic entries in same zone?

George Young gyoung at gldata.com
Tue Nov 27 21:46:23 UTC 2001 

This does not directly answer your question but -

When a M$ W2K DDNS zone is created then set to be dynamically updated, the
zone files then become non-bind compliant. You will not be able to take a M$
DDNS zone file and running it on a Bind compliant machine. You probably
would never want to do this anyway but its worth noting.

M$ adds extra fields to the resource records that are dynamically created,
the entries that are statically created do not have these fields. So there
is a difference between static and dynamic created entries within a zone
file. Also you are not suppose to be able to dynamically alter a static
entry in M$ DDNS.

These extra fields contain information that the M$ scavenge utility uses. M$
allows either workstations or the DHCP server to make dynamic updates in a
rather uncontrolled way, the result is that your M$ DDNS can become clutter
with stale, invalid, obsolete entries. These extra fields associated with
dynamic entries indicate when the entry should be removed by the scavenge
utility.

Also worth nothing that unlike Bind, there isn't an effective way to control
who can make updates to your server and who can't. Unless you go around and
enable DDNS update encryption on all of your machines and DDNS server,  any
workstation, anywhere could alter records in your DDNS server.

What we have done is not allowed dynamic updates to forward zone files, but
just allowed updates to the reverse zone files. We lose quite a bit of
functionality this way but its safer.

For example lets say an Oracle server comes up and registers it address
dynamically in a M$ DDNS server, and then we have this hacker that dynamic
registers the Oracle servers name to a different IP address. Suddenly we
have users being directed to the hackers address instead of the Oracle
server.

You need to be careful with dynamic entries - particular in a M$ environment
because of the lack of controls you have over the server. Also periodically
the M$ DDNS server needs to be fixed, it tends to break. Like many of the M$
products if it disagrees with a parameter you put in, it will eventually
change that parameter to what it thinks is should be. Of course from a
consultants point of view its a money maker.

If security, control, reliability and interoperability are issues you may
want to consider using Bind. It is more structured and stable and highly
configurable.

Take care

George Young / G-L Data, Inc / Morristown, NJ



<-----Original Message-----
<From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
<Behalf Of Cox, Chris
<Sent: Tuesday, November 27, 2001 3:19 PM
<To: 'dhcp-server at isc.org'; 'bind-users at isc.org'
<Subject: MS dynamic DNS supports static and dynamic entries in same
<zone?
<
<
<
<I have been told by our M$ gurus that the M$ solution
<has no problem with static and dynamic entries in the
<same zone... the ISC documentation seems to indicate
<that dynamically updated zones should be separate
<from the statically controlled zones.
<
<Is this correct?
<
<--
<Christopher J. Cox
<Sr. UNIX Systems Administrator
<Sterling Commerce, Inc.
<469-524-2320
<
<

More information about the bind-users mailing list