BIND and MS DNS

Kevin Darcy kcd at daimlerchrysler.com
Thu Nov 23 05:05:42 UTC 2006 

kelvin dumb wrote:
> My goal is to allow MS clients talk to w3k AD and let
> other *nix talk to BIND. I'm using a Bind DNS 9.2.4 on
> Debian and Windows 2003.
> BIND has 192.168.0.100 and MS DNS 192.168.0.120. ICS
> DHCP is DHCP server. I want to subdomain so MS DNS
> will handle all the traffic from MS clients. This is
> what I have been doing so far.
>   
If you just want Microsoft DNS to handle the whole ad.math.edu 
subdomain, simply delegate it from math.edu. You don't need to break out 
subdomains/subzones in that case.

But, you mentioned DHCP. Is DHCP updating client names in DNS via 
Dynamic Update? If so, then *where* are those client names going? If 
your intention is for them to go into ad.math.edu, then you're going to 
have to either
a) delegate ad.math.edu to Microsoft DNS and then figure out how to 
configure the Microsoft DNS stuff to accept Dynamic Updates from ISC 
DHCP (which would be off-topic for this list), or,
b) host ad.math.edu in BIND as a single zone and open up Dynamic Updates 
for *both* ISC DHCP and Active Directory, which runs the risk of them 
stepping on each other's records, or
c) play games with delegating subzones of ad.math.edu (as you've already 
attempted), so that the respective sources of Dynamic Update are 
segregated from each other.

A few things to keep in mind, applicability dependent on which option 
you choose:
1) NS records point to *names* not IP addresses
2) It makes no sense to define a given zone as master on both the BIND 
and Microsoft DNS side,
3) If a given nameserver is authoritative for given zone, and you want 
it to receive queries for names in that zone from other 
nameservers/iterative-resolvers, then you should "publish" that fact by 
including the name of the nameserver in the NS records for the zone, 
both at the apex of the zone itself, and in the delegation NS records 
from the parent zone. For purposes of redundancy and possibly 
performance, you might choose to define a zone as "slave"and *not* 
publish it in the NS records -- that's what's known as a "stealth slave" 
and is perfectly valid too,
4) (In response to "Do I need to create db._msdcs.ad.math.edu...etc on 
BIND? if so, what need to go in there?") Yes, any time you set up a zone 
as "master" in BIND you need to provide a zone file with, at a minimum, 
the SOA RR and some apex NS records. Everything else can be populated 
via Dynamic Update; even the SOA and apex NS records can be changed via 
Dynamic Update *after* the zone is already established, they just can't 
be initially created via Dynamic Update since there is technically no 
"zone" to update until those records are in place.

                                                                         
                        - Kevin

More information about the bind-users mailing list