Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting
Danny Mayer
mayer at gis.net
Mon Feb 9 02:57:05 UTC 2009
Vinny Abello wrote:
>> -----Original Message-----
>> From: Danny Mayer [mailto:mayer at gis.net]
>> Sent: Sunday, February 08, 2009 8:32 PM
>> To: Vinny Abello
>> Cc: Baird, Josh; bind-users at lists.isc.org
>> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices
>> ForCoexisting
>>
>> Vinny Abello wrote:
>>>> Baird, Josh wrote:
>>>>> Actually, yes, if you have dynamic DNS registration enabled on the
>>>> client/host and server, an 'A' record will automatically be created
>> in
>>>> the AD zone.
>>>> It needs to be registered in the domain first. Otherwise any system
>>>> could mascarade as another system.
>>>>
>>>> Danny
>>> And they can if the administrator mistakenly allows unsecure dynamic
>> updates.
>> Registration of the system in ADS has nothing to do with dynamic
>> updates
>> of the DNS records.
>
> Right. We're talking about dynamic updates in DNS, not the creation
> of
computer accounts in AD. That was my point. If the allow dynamic updates
setting is not set to secure only, anybody that can send a DDNS update
to the server can update a record.
>
Microsoft's implementation of dynamic DNS requires that the client use
the GSS-TSIG protocol and the prerequisite for that is that the client
system is registered with ADS. After that it makes use of the GUID in
the GSS-TSIG protocol to register the DNS records for the system. If the
system is not registered it cannot use GSS-TSIG.
Danny
More information about the bind-users
mailing list