Dynamic DNS With WIN2k

Kevin Darcy kcd at daimlerchrysler.com
Fri Sep 1 22:12:04 UTC 2000


Dynamic Update works from Win2K servers and clients to BIND 8 servers, but
*Secure* Dynamic Update doesn't, since the flavor of TSIG implemented by
Win2K is not RFC-standardized and not supported by BIND. This means that if
you want to support Dynamic Update from Win2K to BIND, your only means of
implementing security is to limit updates by IP address, which is a very weak
form of authentication. Technically, you don't have to support Dynamic Update
_at_all_ in order to deploy Win2K, but for Active Directory to work properly,
certain unfriendly-looking SRV records need to be present in DNS for every
Win2K Domain Controller, and it can be a real pain to add these manually. Many
BIND shops just throw in the towel, delegate part(s) of their namespace to
MS-DNS servers and wash their hands of the whole thing. I'm sure Microsoft
doesn't mind this, since it represents at least a "foot in the door" for their
DNS server into large enterprises, and the GUI interface I'm sure is more
appealing to novice administrators than the command-line-and-text-file
environment typically associated with BIND.

In addition to the Domain Controllers needing SRV records in DNS, there is
also options within Win2K for the clients and/or their DHCP servers to
register *client* A and/or PTR records in DNS via Dynamic Update. The PTR
records, in particular, are problematic unless you can isolate certain /24's
to have *only* Win2K clients on them, in which case you could delegate just
those /24's to MS-DNS servers. Most of us don't have that luxury. Note that
RFC 2317-style PTR aliasing doesn't work with Win2K because the software isn't
smart enough to chase down aliases (due, apparently, to a misreading of the
Dynamic Update RFC). Of course, you should probably be asking yourself: do
I really need Win2K clients to be registered in DNS? Think of what this does
to the size of your DNS database, the performance of your DNS servers (I think
this registration happens every time a Win2K clients comes up or shuts down,
maybe also at every DHCP lease renewal, and if a zone is changing frequently,
it needs to be zone-transferred frequently also, thus putting a load on the
slaves, and the network, as well as the master). How often would anyone need
to access a Win2K client by name? In our case, we are leaning towards *not*
implementing the client-registration feature at all. Makes life a lot simpler,
from an infrastructure standpoint.


- Kevin

SCCox at statestreetkc.com wrote:

> Where can I find information on making BIND 8 or BIND 9 Beta, work with the
> dynamic updates of Win2k? Will Active directory work correctly with a BIND
> server doing DNS. I hope so, and see no reason not. Is anyone currently
> doing this?
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> postmaster at statestreetkc.com
>
> **********************************************************************






More information about the bind-users mailing list