Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting

Danny Mayer mayer at
Mon Feb 9 02:57:05 UTC 2009

Vinny Abello wrote:
>> -----Original Message-----
>> From: Danny Mayer [mailto:mayer at]
>> Sent: Sunday, February 08, 2009 8:32 PM
>> To: Vinny Abello
>> Cc: Baird, Josh; bind-users at
>> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices
>> ForCoexisting
>> Vinny Abello wrote:
>>>> Baird, Josh wrote:
>>>>> Actually, yes, if you have dynamic DNS registration enabled on the
>>>> client/host and server, an 'A' record will automatically be created
>> in
>>>> the AD zone.
>>>> It needs to be registered in the domain first. Otherwise any system
>>>> could mascarade as another system.
>>>> Danny
>>> And they can if the administrator mistakenly allows unsecure dynamic
>> updates.
>> Registration of the system in ADS has nothing to do with dynamic
>> updates
>> of the DNS records.
> Right. We're talking about dynamic updates in DNS, not the creation
> of
computer accounts in AD. That was my point. If the allow dynamic updates
setting is not set to secure only, anybody that can send a DDNS update
to the server can update a record.

Microsoft's implementation of dynamic DNS requires that the client use
the GSS-TSIG protocol and the prerequisite for that is that the client
system is registered with ADS. After that it makes use of the GUID in
the GSS-TSIG protocol to register the DNS records for the system. If the
system is not registered it cannot use GSS-TSIG.


More information about the bind-users mailing list