One last W2K / Active Directory / BIND question

Brad Knowles brad.knowles at skynet.be
Fri Aug 3 01:17:03 UTC 2001


At 7:05 PM -0400 8/2/01, Simpson, John R wrote:

>  	If I give allow-update permission to the W2K server for all zones,
>  including example.com, the update works and all the SRV records get added to
>  _msdcs, etc.  However, I don't want the W2K server to have update permission
>  to example.com.

	The general solution is to actually set up a child zone under 
your domain that you allow them to muck about with however they want, 
including all the _tcp, _http, and other sub-zones.  That child zone 
could be delegated to nameservers running on purely Microsoft OSes, 
etc....  Basically, it's their private sandbox to mess in however 
they want, and you don't really care.

>  	Has anyone else encountered this behavior?  Is it due to my 8.2.2-P5
>  server or something on the W2K side?  I can provide any additional OS, BIND,
>  or config files that would be useful.  I'm virtually certain it's on the
>  Windows side, given the extraneous A record.

	Certainly, if you're going to be running BIND, you should be 
running something that does not contain a severe root exploits 
(remember the "li0n" worm from a little while back?).  You should be 
running at least 8.2.4, if not 9.1.3.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA


More information about the bind-users mailing list