FW: Problems with our migration from MS to BIND this weekend

Chris Cox chris_cox at stercomm.com
Thu Sep 27 21:40:47 UTC 2007

Mosemann, Russell wrote:
> Chris Cox said:
>> Also your AD controllers will need the ability to
>> make updates to the _ zones... you'll need to add
>> those zones to your bind config and make sure an
>> acl (or whatever) is in place to allow the AD servers
>> to manage those zones.
> Or you can delegate those zones to DNS on your AD servers and let the AD
> servers manage those zones.

That's the "popular" solution, but I don't see any reason for this.
Our AD uses BIND, and we haven't seen any issues.

With that said, our dynamic (DDNS) entries are strictly managed
by ISC DHCP and management systems with KEY'D (TSIG) access to talk to
our bind server.  Letting Microsoft clients have DDNS capability is
just plain wrong from a security point of view.

The only things making updates outside of TSIG access are our
AD servers and then, ONLY for the _udp, _msdcs, _sites and _tcp
zones.  For now, we allow that access to those zones for
updating by IP (not the most secure thing, but in reality
if you've got folks somehow spoofing themselves on your network,
everything is already toast anyhow).

Chris Cox
Sr. Unix Sys Admin

More information about the bind-users mailing list