BIND, Active Directory, DDNS, with no Microsoft DNS

Danny Mayer mayer at
Sat Dec 28 04:05:30 UTC 2002

At 01:28 PM 12/27/02, Rob Payne wrote:
>Take a look at Cricket Liu's latest book (DNS & BIND Cookbook) .
>There are recipes in there describing how to do this.  Your windows
>admin is probably thinking of setting up the _udp, _tcp, _mcdcs and
>_sites sub-domains under
>By the way, you don't lose TSIG.  MS DNS does not support TSIG.
>Dynamic updates under windows use GSSTSIG, which is a different beast.
>You are probably right, BIND will probably support GSSTSIG at some
>point.  There are, however, known standard definition problems between
>the two windows implementations of GSSTSIG.

You can use your DHCP server to register IP names and addresses and
it can use TSIG to the DNS to do this securely. You should turn off DNS
registration in all of the Windows clients or they will continue to attempt
to registry themselves. Even if they succeed they will do it all over again
every 24 hours. That's what makes it worth while taking the trouble to
turn it off. Note that this happens even with static IP addresses.

Note that the proposed GSS-TSIG draft violates the TSIG RFC as it
currently stands. There have been discussions on how to resolve this
but there is no agreement yet as far as I know.


>                                 -rob

More information about the bind-users mailing list