BIND 9.3.0 and AD
Alan Shackelford
ashackel at jhmi.edu
Thu Sep 23 11:55:19 UTC 2004
Good Morning,
I am currently running bind-9.3.0rc4 and plan to upgrade to 9.3.0 in the
next two days. The improvements to the security features raise a couple of
questions that you folks might be able to answer:
* Does the new DNSSEC stuff allow for signed and/or encrypted transfers and
updates to/from Active Directory DNS? I am currently allowing these
interactions based on IP address alone, and am reminded in the logs that
this is unsafe.
* Since I have a couple of AD domains I also have a number of underscore
characters in a couple of zone data files, and have set check-names to
ignore. This seems like a shame. Is there a "smaller hammer" I can use to
allow the AD zone data to live in my DNS? For the most part I have pasted
the netlogin.dns file into my zone data, but in two cases I am actually
allowing updates from the AD DNS, which is using me as forwarder. It would
be nice to make use of check-names, but the two AD zones that are sending
updates are very chatty, and I worry about log volumes and admin numbness if
I just log the offending names.
Alan V. Shackelford Sr. Systems Software Engineer
The Johns Hopkins University / Johns Hopkins Medical Institutions
Baltimore, Maryland USA ashackel at jhmi.edu 443-997-6773
-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s
More information about the bind-users
mailing list