Active Directory Integrated DNS( dynamic update behavior )

David Botham dns at botham.net
Thu Jan 16 21:48:09 UTC 2003 



> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Kevin Darcy
> Sent: Thursday, January 16, 2003 4:38 PM
> To: bind-users at isc.org
> Subject: Re: Active Directory Integrated DNS( dynamic update behavior
)
> 
> 
> David Botham wrote:
> 
> > > -----Original Message-----
> > > From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]
On
> > > Behalf Of Barry Finkel
> > > Sent: Thursday, January 16, 2003 2:33 PM
> > > To: bind-users at isc.org
> > > Cc: rparasnis at clj.co.jp
> > > Subject: RE: Active Directory Integrated DNS( dynamic update
behavior
> > )
> > >
> > > "Rahul Parasnis" <rparasnis at clj.co.jp> replied to my posting:
> > >
> > > >For rest of zones either I can define w2k as secondary or forward
> > those
> > > >requests to bind DNS .
> > > >is there any limit on defining secondary servers ? ( is it 20 )
> >
> > A conventional limit is 13 name servers.  This limit is due to the
fact
> > you can pack 13 NS records with glue records into a UDP packet less
than
> > 512 bytes.  That way you do not trigger a truncation and hence a TCP
> > transfer of the NS RRset for your zone...
> 
> You can only pack 13 NS'es + glue into the 512-byte limit, if the
domain
> names are all the same and the first labels are very short. Otherwise
the
> limit is lower.

Good point, as always :)

Dave...



> 
> 
> - Kevin
> 
> 
> > > Why define the W2k server as a slave for the other zones?  Which
> > > machines are going to use the W2k server as their DNS server?
Almost
> > > all of the machines here are configured to use my BIND servers as
> > their
> > > DNS servers; no machine (of which I am aware) is using the W2k DNS
> > > Server as its server.  As everyone is using the BIND servers, I
have
> > to
> > > insure that I have the "_" zones on the BIND servers.
> > >
> > > I am not sure what you mean by "limit on defining secondary
servers".
> > > You can have any number of slave servers for a given zone.  There
> > > usually is no need for 1-4 slave servers.  Note that if you have
many
> > > slave servers for a zone, then there are many NS records in the
zone,
> > > and a query might result in all of those NS records being placed
in
> > > the AUTHORITY section of the DNS reply.  That could cause the
reply
> > > packet to exceed the size of a UDP packet, reulting in having to
use
> > > TCP.
> > >
> > > --------
> > >
> > > >I tested the dynamic update to learn it's behavior . Here is what
> > > understood
> > > >please correct me if I am wrong .
> > > >
> > > >If there is A record, CNAME and PTR  record for one client . A
record
> > is
> > > >different than the Client FQDN ( computer name ). When client
updates
> > ,
> > > it
> > > >deletets this A record and PTR record and replaces with it's FQDN
> > Name
> > > but
> > > >the old A record and CNAME resord is not deleted .
> > > >I could see the log in db.domain.ixfr and
> > reverse_lookup_zone_file.ixfr .
> > >
> > > Assuming these entries in DNS:
> > >
> > >      AA  IN  A  1.2.3.4
> > >      BB  IN  CNAME  AA
> > >      1.2.3.4  IN  PTR  AA
> > >
> > > If a machine named AA at address 2.3.4.5 attempts
self-registration
> > and
> > > is successful, then these records will be in DNS, I believe:
> > >
> > >      AA  IN  A  2.3.4.5
> > >      BB  IN  CNAME  AA
> > >      1.2.3.4  IN  PTR  AA
> > >      2.3.4.5  IN  PTR  AA
> > >
> > > The "A" record for AA will have been replaced, while the PTR
record
> > for
> > > 2.3.4.5 will have been added.  The CNAME record will have been
left
> > > untouched.
> > >
> > > Given the initial scenario again -- if a machine named BB at
address
> > > 2.3.4.5 attempts self-registration, then the initial request to
> > > register
> > >
> > >      BB  IN  A  2.3.4.5
> > >
> > > will fail, because the DDNS packet has a pre-requisite check to
insure
> > > that BB is not already a CNAME.  Once this pre-req fails, I do not
> > know
> > > what subsequent DDNS packets, if any, will be sent by the W2k
computer
> > > attempting self-registration (either for the forward registration
or
> > > for the reverse registration).  I have never had this situation in
my
> > > testing.  Note that there is no CNAME pre-req test in the
registration
> > > of the PTR record; there could be a CNAME in a reverse zone if one
is
> > > using RFC 2317-style delegation of a piece of a subnet.
> > >
> > > --------
> > >
> > > >These two names are not cnames of the A-record that is
dynamically
> > added
> > > .
> > > >
> > > >nslookup cname
> > > >Server:  DNS Server
> > > >Address:  IP Address
> > > >
> > > >Name:    rparasnis.clj.co.jp
> > > >Address:  IP Address
> > > >Aliases:  cname.clj.co.jp
> > > >
> > > >there are following records now in DNS
> > > >A record for computername ( dynamically updated )
> > > >PTR record for computername ( dynamically updated )
> > > >A record (old ) which was existing before
> > > >CNAME records pointing to old A-record
> > > >
> > > >is my understanding correct ?
> > >
> > > I cannot tell from your example what was in DNS before the update,
and
> > > what machine (at what address) sent the self-registration.
> > >
----------------------------------------------------------------------
> > > Barry S. Finkel
> > > Electronics and Computing Technologies Division
> > > Argonne National Laboratory          Phone:    +1 (630) 252-7277
> > > 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> > > Building 222, Room D209              Internet: BSFinkel at anl.gov
> > > Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list