FW: Problems with our migration from MS to BIND this weekend

Mark Andrews Mark_Andrews at isc.org
Fri Sep 28 00:37:45 UTC 2007

> Mosemann, Russell wrote:
> > Chris Cox said:
> >> Also your AD controllers will need the ability to
> >> make updates to the _ zones... you'll need to add
> >> those zones to your bind config and make sure an
> >> acl (or whatever) is in place to allow the AD servers
> >> to manage those zones.
> > 
> > Or you can delegate those zones to DNS on your AD servers and let the AD
> > servers manage those zones.
> That's the "popular" solution, but I don't see any reason for this.
> Our AD uses BIND, and we haven't seen any issues.
> With that said, our dynamic (DDNS) entries are strictly managed
> by ISC DHCP and management systems with KEY'D (TSIG) access to talk to
> our bind server.  Letting Microsoft clients have DDNS capability is
> just plain wrong from a security point of view.

	Actually it's perfectly reasonable in some circumstances.
> The only things making updates outside of TSIG access are our
> AD servers and then, ONLY for the _udp, _msdcs, _sites and _tcp
> zones.  For now, we allow that access to those zones for
> updating by IP (not the most secure thing, but in reality
> if you've got folks somehow spoofing themselves on your network,
> everything is already toast anyhow).

	BIND 9.5 (in alpha) supports GSS-TSIG.

> -- 
> Chris Cox
> Sr. Unix Sys Admin
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list