Problems with DDNS
Barry Finkel
b19141 at achilles.ctd.anl.gov
Fri Feb 8 14:07:37 UTC 2002
Paco Orozco <nospam at nospam.es> wrote:
>>>I heve got several Windows 2000 servers, involved in Active Directory.
>>>It modify via DDNS some DNS records in dynamic.hello.com.
>>>
>>>All server who needs DDNS are part of dynamic.hello.com zone, but all
>>>of then aren't on the same segment, they aren't on the same
>>>in-addr.arpa. zone.
>>>
>>>When a server modify a record in dynamic.hello.com, it can't do it in
>>>its reverse zone (in-addr.arpa.)
>>>
>>>One solution is to allow DDNS on all reverse zones where contains
>>>servers with DDNS needs, but Is there any solution? Can I limit DDNS
>>>updates on in-addr.apra zone only to machines in dynamic.hello.com?
I replied:
>>You did not say how large your address space is. What I did is take
>>the five specific 255-address subnets that needed to be dynamic and
>>delegate those subnets to my W2k DNS box. I do not know of one can
>>delegate less than 255 addresses; I asssume that following RFC 2317
>>it is possible. I have enough subnets that I do not have to worry
>>about RFC 2317. I have only one forward and its five reverse zones
>>on the W2k box (in addition to 24 "_" zones) because I still do not
>>trust the W2k DNS code. These 1+5 zones are there because the owner
>>of the zones wanted them to be dynamic, managed by his W2k DHCP
>>server.
And Paco replied:
>In my scenario there are servers in several in-addr.arpa. zones. I
>can't join it in only one/two/three zones. Imagine several dept.,
>every dept. has a in-addr.arpa. zoen (C class), and every dept. joins
>a server to dynamic.hello.com. domain.
>
>This is my scenario.
If each department has its own Class C zone, then you can take
each Class C zone (for those departments that wish to participate in AD
DDNS) and make it dynamic. Your other Class C zones can remain static.
You can move the dymamic revserse zones to a W2k DNS box, as I have
done; or you can leave those zones on BIND. You have less security
with the dynamic zones on BIND, as BIND does not implement the GSS-API
Microsoft secure updates.
In my case, I have my onsite slaves, dns1.anl.gov and dns2.anl.gov,
set in all clients to be the DNS servers to be queried. My master
BIND server, dns0.anl.gov, is a hidden master. Both onsite slaves
are authoritative for our class B 146.139.x.x network, so I did not
have to do anything special to move 146.139.224.x to the W2k DNS
server. That zone is slaved on my dns1 and dns2, so clients still
query dns1 or dns2, and they retrieve entries from the 146.139.224.x
zone. BIND does not care if the zone on the slave is separate or
part of the larger 146.139.x.x zone.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list