dynamic DNS

Jim Reid jim at rfc1035.com
Fri Apr 26 16:23:28 UTC 2002


>>>>> "Armin" == Armin Safarians <armin.safarians at safeway.com> writes:

    Armin>     I'm new to this whole dynamic DNS and I rather not use
    Armin> it however Active Directory user that to update the zone
    Armin> files dedicated to them.  My question is, Should I upgrade
    Armin> to Bind 9 before using Dynamic updates since I can use
    Armin> DNSSec, or is it not an entire Sin to implement under
    Armin> 8.2.3.

As a general rule, you'll be better off running BIND9.

There's no need to couple Dynamic Updates with DNSSEC in your
environment. In fact, there's little point using DNSSEC if you have
W2K and Active Directory. The M$ name server does not support DNSSEC.

What you should do is delegate the zones used by W2K to some M$ name
servers. Consult the list archives for details. This will allow the
W2K clients to make Dynamic Updates for things liek AD entries using
the GSS-TSIG protocol which is currently only understood by the M$
name server. This at least allows those update requests to be
authenticated. If you host those zones on a BIND[89] server, you can
only authenticate the requests based on their source IP address which
can of course be easily forged.


More information about the bind-users mailing list