BIND 8.2 based DNS and AD

Scott Bertilson scott at nts.umn.edu
Tue Nov 12 00:01:41 UTC 2002


> During extensive lab testing, we seem to have found something of an
> issue with both Nortel NetID 4.2.x and Lucent QIP 5.2 in an AD
> environment.
> Out of the box AD (as we'd like very much to leave it) relies on
> individual DCs and GCs being able to dynamically register SRV records.
> Both of these products support the relevent RFC, all good so far.
> However, both products appear to 'clean up' (remove) dynamically
> registered SRV records intermittently. This, if it occurs during an
> attempt by AD to run a replication cycle causes all manner of merry
> hell to break loose. The SRVs are normally de-registered and
> re-registered by individual DCs every 60 minutes by default, which
> often leaves us with between 1 and 59 minutes with potentially no SRV
> records existing for our DNS zones.......not good. Lucent have a
> workaround which effectively hard codes the SRVs by running a CLI
> using 'append mode', and we presume Nortel have a similar 'fix'.
> Wanting to implement the most suitable product for a primarily AD
> based infrastructure, I would like to know whether anyone else has
> encountered this issue and if it is (as it seems) a feature of BIND??

  Well, as far as QIP is concerned (we run QIP 5.0SP3 and have
done some testing of QIP 6.0), I'd be inclined to believe
that the loss of these records is due to the fact that both
QIP and BIND believe they are the canonical repository for
DNS data.  The CLI you mention is a kludge that tries to keep
the QIP database backend in line with the picture of the data
held by BIND after DDNS updates.  You should probably look at
QIP 6 and try it with the Lucent DNS server because they claim
to have an improved mechanism for keeping the database synch-
ronized with BIND.  I believe the new mechanism involves their
DNS server generating database updates based on the DDNS
updates it receives.  This seems more likely to eliminate
the divergence between BIND and the database, but I'm very
reticent to give up our ability to build BIND from source
(to the best of my knowledge Lucent has no plans to release
their source or document the mechanism to allow an open source
implementation).
					Scott


More information about the bind-users mailing list