Bind 9.1 As SOA with Windows 2003 DNS Server

Kevin Darcy kcd at
Fri Oct 6 19:58:03 UTC 2006

Skywalker wrote:
> Currently in an NT 4 domain with a Windows 2003 DNS server.  The Bind
> server is the SOA for the zone.  We plan to keep the BIND server as the
> SOA. The BIND server has multiple interfaces, so it is serving DNS
> internally and externally on our network. Firewall rules block
> computers from performing dynamic DNS updates to the BIND server. We
> want the dynamic updates to happen on the Windows 2003 DNS server.
> Network traces prove that the computers only attempt to update the BIND
> server after performing an SOA query. Obviously, we are not using
> Active Directory Integrated DNS nor do I know at this point if that
> will happen.  We will have a Windows 2003 domain controller in the next
> couple of weeks.  When we try to run dynamic DNS from an XP client, the
> computer cannot register itself on the Windows 2003 DNS server as it is
> not the SOA for that zone.  We have proved that the computer can
> register itself on the Windows 2003 DNS server, if the Windows 2003 DNS
> server is the SOA for the zone.  There are no plans to remove BIND.
> Does anyone have a solution? Any information would be helpful.
I had to read your message several times before I got a sense of what 
you meant by "is the SOA for the zone". Eventually, the conclusion I 
came to is that the MNAME field of the zone's SOA RR contains the name 
of a BIND server. Is that correct? Is there any reason to keep things 
that way? Seems like you'd make your life a lot easier if you just put 
the name of your Windows DNS server there. Note that changing the value 
of SOA.MNAME, _ipso_facto_ has no implications whatsoever on what kind 
of software you run on what servers, to support your DNS infrastructure. 
It doesn't imply, for instance, that you can't run BIND any more.

In any case, according to the Dynamic Update RFC (2136), what you're 
trying to do _should_ work, even with the BIND server in the SOA.MNAME, 
but *if*and*only*if* the name of the Windows DNS server is in the NS 
records of the zone. The basic algorithm is: try the SOA.MNAME, if there 
is also an NS record for it in the zone; if that doesn't work, then try 
the other NS records. If your clients aren't failing over to the other 
servers in the NS records of the zone, then I would say they aren't 

If the Windows DNS box isn't in the SOA.MNAME, and it isn't in the NS 
records for the zone, I'm not sure how you expected the Dynamic Update 
clients to be able to find it. Extra-sensory perception?

      - Kevin

More information about the bind-users mailing list