Bind 9

Chris Cox chris_cox at stercomm.com
Sat Mar 27 00:26:39 UTC 2004 

Kevin Darcy wrote:
...snip...
> The Win2K clients can be configured to register their names in DNS. You 
> can configure either your Win2K clients or your DHCP server (Win2K or 
> otherwise) to register the reverse records for those clients in DNS via 
> Dynamic Update. HOWEVER, please realize that you have no capability to 
> do crypto-secure Dynamic Updates between the Win2K environment and the 
> BIND environment, due to the fact that each environment speaks a version 
> of crypto that is incompatible with the other. So the most you'd be able 
> to do to lock things down by Dynamic Update client address, and if you 
> have Win2K clients all over the place, that's basically no security at all.

Why not use ISC DHCP in a DDNS configuration to do it?  Sure, unless you
make a registry change on all of the clients they'll continue to hound
your BIND server, but the server will just say no to them.

I have seen way, way too many problems with our DNS/DHCP servers in W2K3...
now admitedly, some of that is configuration issues... but still...
Just too many issues... too much complexity... too much faith in
multi-mastering which any two-year old can tell you can't work.

Also.. the Samba boys have figured out how to do nsupdates via
GSS-TSIG.. so it's now possible to get this working if you just
a have to have it.  I think W2K, W2K3 are mistakes in the industry
as a whole... IMHO... better to migrate to something simpler and
smoother (bet you never thought you'd here that about BIND!).


> 
> The same considerations apply to Active Directory domain controllers and 
> their desire to write SRV records into DNS zones. Although in that case 
> you have much fewer numbers of Dynamic Update clients, and so it may be 
> feasible to lock these down by source address. For that matter, since 
> the SRV records don't change that often, you could turn off Dynamic 
> Update altogether and just manually update DNS from the domain 
> controllers' netlogon.cnf (or whatever it's called) file every time 
> something changes. Another option is to leave the "underscore" 
> subdomains, e.g. _msdcs, _tcp, _udp, etc., in MSDNS, delegating them as 
> subzones from your main zone. Yet another option is to pick some totally 
> separate domain for your AD stuff.

I would allow the W2K/W2K3 servers to do their updates by IP auth inside
of your named.conf for those zones.

More information about the bind-users mailing list