Active Directory Settings in Bind 822?

Kevin Darcy kcd at daimlerchrysler.com
Fri Jul 14 21:33:12 UTC 2000


You need to add "allow-update" statements, specifying addresses and/or address
prefixes, and/or negated versions of same, globally or on a zone-by-zone
basis, in order for the Dynamic Updates to work. Note that this is
*weak* authentication: anyone who can spoof those addresses then has the
ability to update your DNS. But currently there is no interoperable
*secure* Dynamic Update between BIND and Win2K. Apparently, trying to find
common ground between Microsoft and ISC on secure Dynamic Update is proving to
be about as difficult as coming up with a mutually-acceptable map of
Jerusalem... (This probably at least partially explains why people aren't
writing HOWTO's either; since this area is greatly subject to change).

SRV records should just work. There's nothing in particular special you have
to do with them. If you opt not to allow weakly-authenticated Dynamic Updates,
however, this means you'll have to manually add the SRV records, somehow,
which could be a massive pain in the butt, since each Domain Controller can
register many SRV records (as many as a dozen or more, our Microsoft reps are
telling us). The syntax for SRV records seems very prone to typos, also.

Don't know about IXFR. Is this really necessary, if all of your DNS servers
are BIND, or only if you want to do zone transfers between BIND and
non-BIND servers? By the way, I believe IXFR is broken in all BIND prior to
8.2.3 (which is still technically in Beta).


- Kevin

Greg Fischer wrote:

> I am having trouble setting up Active Directory with Linux Bind 8.2.2 P5.
> It says the Dns server doesnt support AD. (I cant remember the exact error)
> And then I have to setup a MSDns server.(I don't want to)
> I have searched through archives on this list, and on the internet, but
> found little info on a procedure to do it.
>
> I have three Dns servers on Linux version 8.2.2.  Since it should support
> Active Directory with the SRV records, IXFR's, and Dynamic UPdate, I would
> rather not setup another Master using MSDns, and just use my existing ones.
> I also would rather not setup a subdomain.
> It just seems that it would be easier to administer later.
>
> So, what I ask is, can someone show me a sample named.conf file with the
> settings that will allow AD to talk to it? And maybe some pointers.  I
> pledge to list a web page describing the setup procedures for people out
> there who want to know as I do.
>
> I have read through the "DNS and Bind" book from O'reilly, but it doesn't
> get too detailed on dynamic update and Incremental zone transfers.
>
> There needs to be a HOWTO out there for AD and Bind 8.2.2.
>
> Greg Fischer
> Network Administrator
> TechGroup Inc
> 509-922-1585
> greg at techgroupinc.com






More information about the bind-users mailing list