MS Active Directory and DNS and Bind 4TH Edition

rene mathis rene at solosaina.ch
Fri Jun 18 12:01:21 UTC 2004


On Thu, 17 Jun 2004 20:27:41 -0400, Kevin Darcy wrote
> Martin McCormick wrote:
> >	I understand that bind9.3 can now use GSS-tsig signatures which is
> >what MS DNS's use.
> >
> >	What has this development changed about the suggested
> >architecture?  Is the method recommended as best practice still valid?
> >
> The GSS-TSIG stuff is still relatively new. 9.3 is still in beta. I 
> think it's a little premature to be talking about changing best 
> practices. Also, GSS-TSIG is not the only factor here, there are 
> also operational considerations. How easy is it to configure and 
> maintain all of the Kerberos-principal gunk in BIND? How likely is 
> it that a DC will go insane and munge your zone data? Best practices 
> emerge from extensive field experience, and very few people, if any, 
> have that with respect to the new GSS-TSIG support in BIND (perhaps 
> some of the Lucent QIP users could speak up at this point?, since 
> QIP's modified BIND has supported GSS-TSIG for a while now)
> 
We have now been using the QIP-BIND with GSS-TSIG on SUN Solaris for a while 
in a productive environment and made good experience. But I had to set up a 
MIT Kerberos Infrastructure (KDC and Slave KDC) on the UNIX Servers, because 
I was not allowed by the Security Departement to use the Active Directory 
infrastructure. Even this solution works very fine for us using Lucent 
VitalQIP as DNS Management Tool, it is not easy to set up.
--
Rene Mathis
rene at solosaina.ch



More information about the bind-users mailing list