Problems with DDNS

Barry Finkel b19141 at
Fri Feb 8 14:07:37 UTC 2002

Paco Orozco <nospam at> wrote:

>>>I heve got several Windows 2000 servers, involved in Active Directory.
>>>It modify via DDNS some DNS records in
>>>All server who needs DDNS are part of zone, but all
>>>of then aren't on the same segment, they aren't on the same
>>> zone.
>>>When a server modify a record in, it can't do it in
>>>its reverse zone (
>>>One solution is to allow DDNS on all reverse zones where contains
>>>servers with DDNS needs, but Is there any solution? Can I limit DDNS
>>>updates on in-addr.apra zone only to machines in

I replied:

>>You did not say how large your address space is.  What I did is take
>>the five specific 255-address subnets that needed to be dynamic and
>>delegate those subnets to my W2k DNS box.  I do not know of one can
>>delegate less than 255 addresses; I asssume that following RFC 2317
>>it is possible.  I have enough subnets that I do not have to worry
>>about RFC 2317.  I have only one forward and its five reverse zones
>>on the W2k box (in addition to 24 "_" zones) because I still do not
>>trust the W2k DNS code.  These 1+5 zones are there because the owner
>>of the zones wanted them to be dynamic, managed by his W2k DHCP

And Paco replied:

>In my scenario there are servers in several zones. I
>can't join it in only one/two/three zones. Imagine several dept.,
>every dept. has a zoen (C class), and every dept. joins
>a server to domain.
>This is my scenario.

If each department has its own Class C zone, then you can take
each Class C zone (for those departments that wish to participate in AD
DDNS) and make it dynamic.  Your other Class C zones can remain static.
You can move the dymamic revserse zones to a W2k DNS box, as I have
done; or you can leave those zones on BIND.  You have less security
with the dynamic zones on BIND, as BIND does not implement the GSS-API
Microsoft secure updates.

In my case, I have my onsite slaves, and,
set in all clients to be the DNS servers to be queried.  My master
BIND server,, is a hidden master.  Both onsite slaves
are authoritative for our class B 146.139.x.x network, so I did not
have to do anything special to move 146.139.224.x to the W2k DNS
server.  That zone is slaved on my dns1 and dns2, so clients still
query dns1 or dns2, and they retrieve entries from the 146.139.224.x
zone.  BIND does not care if the zone on the slave is separate or
part of the larger 146.139.x.x zone.

Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list