ISC Bind in Active Directory

Nicholas F Miller nicholas.miller at Colorado.EDU
Wed Oct 24 13:50:37 UTC 2012


On Oct 24, 2012, at 7:12 AM, Matus UHLAR - fantomas wrote:

>> We use Bind for all DNS including DDNS for our AD. We use GSS-TSIG to
>> control what record types and machines can make dynamic updates to our AD
>> zone.  We use ISC's DHCP but don't allow it to do DNS updates since we use
>> GSS-TSIG at the client level instead. 
> 
> For me to understand: do your clients use GSS-TSIG to update temselves
> instead of DHCP server doing the same?

That is correct.

> 
>> On Oct 22, 2012, at 11:36 AM, Aaron Thompson wrote:
>>> Are you using AD or Bind for DNS/DHCP?  I'm assuming your using AD for
>>> authentication.
> 
>>> On Oct 19, 2012, at 10:46 AM, Nicholas F Miller <nicholas.miller at Colorado.EDU> wrote:
>>>> DDNS record scavenging is the only feature I'm aware of that MS DNS has
>>>> that Bind doesn't .  On the flip side, ISC Bind can ACL who can add
>>>> certain record types to a dynamic zone using GSS-TSIG as well as
>>>> supports views and ACLs for recursion.  Everything else should be
>>>> standard DNS.
> 
> isn't the client self-registration the reason why scavenging is needed?

Scavenging is a concern but we didn't have much choice. Our AD is only one of many subdomains and our DHCP spans all of them. If we used DHCP for DDNS records we wouldn't be guaranteed unique names. By limiting DDNS to just the AD we are guaranteed unique names. We only needed DDNS in our AD so it made the most sense to use GSS-TSIG.

A dirty way to scavenge 'A' or 'AAAA' records is to compare the records in your DDNS zone to all of the existing computer objects in your AD. If an 'A' or 'AAAA' record is in your zone but no computer object matches it in the AD it can be assumed to be orphaned. Ldapsearch is a good tool to query the AD for computer objects.

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder


More information about the bind-users mailing list