BIND 9.3.0 and AD

Danny Mayer mayer at gis.net
Mon Sep 27 00:33:34 UTC 2004


At 11:58 AM 9/26/2004, Johan Ihr=E9n wrote:
>Hi Alan,
>
> > * Does the new DNSSEC stuff allow for signed and/or encrypted=3D20
> > transfers and
> > updates to/from Active Directory DNS? I am currently allowing these
> > interactions based on IP address alone, and am reminded in the logs=3D20
> > that
> > this is unsafe.
>
>You really want to do TSIG signed zone transfers. This has been working=3D2=
0=3D
>
>for years and is not dependent upon the new DNSSEC stuff.

Windows DNS (AD-integrated or not) does not support TSIG. What
Windows supports is GSS-TSIG which is different and I don't believe
it supports zone transfers anyway.

> > * Since I have a couple of AD domains I also have a number of=3D20
> > underscore
> > characters in a couple of zone data files, and have set check-names to
> > ignore. This seems like a shame. Is there a "smaller hammer" I can=
 use=3D20=3D
>
> > to
> > allow the AD zone data to live in my DNS? For the most part I have=3D20
> > pasted
> > the netlogin.dns file into my zone data, but in two cases I am =3D
>actually
> > allowing updates from the AD DNS, which is using me as forwarder. It=3D2=
0=3D
>
> > would
> > be nice to make use of check-names, but the two AD zones that are=3D20
> > sending
> > updates are very chatty, and I worry about log volumes and admin=3D20
> > numbness if
> > I just log the offending names.

The SRV records are required to have underscores in the name if I
understand the protocol correctly. Are you talking about the A records?

Danny



More information about the bind-users mailing list