Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting
mayer at gis.net
Mon Feb 9 02:57:05 UTC 2009
Vinny Abello wrote:
>> -----Original Message-----
>> From: Danny Mayer [mailto:mayer at gis.net]
>> Sent: Sunday, February 08, 2009 8:32 PM
>> To: Vinny Abello
>> Cc: Baird, Josh; bind-users at lists.isc.org
>> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices
>> Vinny Abello wrote:
>>>> Baird, Josh wrote:
>>>>> Actually, yes, if you have dynamic DNS registration enabled on the
>>>> client/host and server, an 'A' record will automatically be created
>>>> the AD zone.
>>>> It needs to be registered in the domain first. Otherwise any system
>>>> could mascarade as another system.
>>> And they can if the administrator mistakenly allows unsecure dynamic
>> Registration of the system in ADS has nothing to do with dynamic
>> of the DNS records.
> Right. We're talking about dynamic updates in DNS, not the creation
computer accounts in AD. That was my point. If the allow dynamic updates
setting is not set to secure only, anybody that can send a DDNS update
to the server can update a record.
Microsoft's implementation of dynamic DNS requires that the client use
the GSS-TSIG protocol and the prerequisite for that is that the client
system is registered with ADS. After that it makes use of the GUID in
the GSS-TSIG protocol to register the DNS records for the system. If the
system is not registered it cannot use GSS-TSIG.
More information about the bind-users