Mixed environments: DHCP Secure Update

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Mar 21 18:27:28 UTC 2007 

"Michele Vetturi" <mvetturi at yahoo.it> wrote:

>Hi all,
>        this is my first post in dhcp-users. I appreciate a lot your
>dicussions. Here I found a great source of ideas.
>
>Now my question: we are going to renew our network and the Active
>Directory environment. I'm talking about 500 desktops, 50 servers, 20
>virtual servers... So, a tedious job!
>
>I'm very interested in migrating some core service from Windows OS to
>Linux, and I'm studying how to deploy a Linux DHCP Server (ISC DHCP3)
>with SECURE Dynamic Update toward a Windows DNS service.
>
>I opted for the Windows DNS because the staff who will manage this
>service, but me, prefer a Windows GUI Management Console instead of
>BIND zone files.
>
>And for DHCP, I see that the ISC implementation allow me doing a lot
>more tricks.
>
>Now, I think I'm right when I say that Windows DNS accepts dynamic
>updates only if clients support GSS-TSIG algorithm... and ISC DHCP
>does not.

The last point is correct, if you replace "ISC DHCP" with "ISC BIND".
ISC BIND does not accept GSS-TSIG DDNS authentication.  I think it is
coming, but I do not know when.  One of the problems is that Microsoft
wrote a draft RFC covering what they had done with GSS-TSIG, but that
draft RFC did not match their code, so it was impossible for anyone to
be compatible with their code.

What we do here for one group within ANL - all of their DNS is dynamic,
controlled by a MS Windows 2003 DHCP Server.  Their forward zone and
five /24 reverse zones are mastered on a MS Windows 2003 DNS Server and
slaved to our BIND servers.  All of the client machines query the BIND
servers; no machine is configured to use the MS DNS machine as a
primary DNS server.  Most of the machines in this domain are Windows
2003 servers or XP workstations, so DNS registration is automatic and
secure.  The MS DHCP Server registers both forward and reverse.
There are a handful of other machines that we registered manually via
the Windows DNS GUI manangement console.  We can have this configuration
because this group is a sub-domain of anl.gov, it lives almost
exclusively on five /24 subnets, there are no machines from other
sub-domains on those five subnets, and the machines in that sub-domain
are almost entirely MS Windows.

One more thing to remember - once a BIND DNS zone is dynamic, all
updates to the zone must be made via the nsupdate tool.  Manual
editting of zone files is no longer allowed.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the dhcp-users mailing list