One last W2K / Active Directory / BIND question
Brad Knowles
brad.knowles at skynet.be
Fri Aug 3 01:17:03 UTC 2001
At 7:05 PM -0400 8/2/01, Simpson, John R wrote:
> If I give allow-update permission to the W2K server for all zones,
> including example.com, the update works and all the SRV records get added to
> _msdcs, etc. However, I don't want the W2K server to have update permission
> to example.com.
The general solution is to actually set up a child zone under
your domain that you allow them to muck about with however they want,
including all the _tcp, _http, and other sub-zones. That child zone
could be delegated to nameservers running on purely Microsoft OSes,
etc.... Basically, it's their private sandbox to mess in however
they want, and you don't really care.
> Has anyone else encountered this behavior? Is it due to my 8.2.2-P5
> server or something on the W2K side? I can provide any additional OS, BIND,
> or config files that would be useful. I'm virtually certain it's on the
> Windows side, given the extraneous A record.
Certainly, if you're going to be running BIND, you should be
running something that does not contain a severe root exploits
(remember the "li0n" worm from a little while back?). You should be
running at least 8.2.4, if not 9.1.3.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list