Bind 9

[Kevin Darcy]

jt wrote:

>Hi all,
>--------------------------
>we' re planning to switch from the Win2K - DNS to a BIND9 - based DNS for
>several reasons.
>This makes several questions popping up.....
>
>I know the question sounds dumb, but does this affect the AD operation in
>any way ?
>
>The DDNS feature in Bind9 should enable us to automatically update the DNS
>if required,
>do there exist requirements to have a specific DHCP in use as to get DDNS
>running ?
>
The Win2K clients can be configured to register their names in DNS. You 
can configure either your Win2K clients or your DHCP server (Win2K or 
otherwise) to register the reverse records for those clients in DNS via 
Dynamic Update. HOWEVER, please realize that you have no capability to 
do crypto-secure Dynamic Updates between the Win2K environment and the 
BIND environment, due to the fact that each environment speaks a version 
of crypto that is incompatible with the other. So the most you'd be able 
to do to lock things down by Dynamic Update client address, and if you 
have Win2K clients all over the place, that's basically no security at all.

The same considerations apply to Active Directory domain controllers and 
their desire to write SRV records into DNS zones. Although in that case 
you have much fewer numbers of Dynamic Update clients, and so it may be 
feasible to lock these down by source address. For that matter, since 
the SRV records don't change that often, you could turn off Dynamic 
Update altogether and just manually update DNS from the domain 
controllers' netlogon.cnf (or whatever it's called) file every time 
something changes. Another option is to leave the "underscore" 
subdomains, e.g. _msdcs, _tcp, _udp, etc., in MSDNS, delegating them as 
subzones from your main zone. Yet another option is to pick some totally 
separate domain for your AD stuff.

                                                                         
                                 - Kevin