ISC Bind in Active Directory

Kevin Darcy kcd at chrysler.com
Wed Oct 24 15:54:05 UTC 2012


On 10/24/2012 9:50 AM, Nicholas F Miller wrote:
> On Oct 24, 2012, at 7:12 AM, Matus UHLAR - fantomas wrote:
>
>>> We use Bind for all DNS including DDNS for our AD. We use GSS-TSIG to
>>> control what record types and machines can make dynamic updates to our AD
>>> zone.  We use ISC's DHCP but don't allow it to do DNS updates since we use
>>> GSS-TSIG at the client level instead.
>> For me to understand: do your clients use GSS-TSIG to update temselves
>> instead of DHCP server doing the same?
> That is correct.
>
>>> On Oct 22, 2012, at 11:36 AM, Aaron Thompson wrote:
>>>> Are you using AD or Bind for DNS/DHCP?  I'm assuming your using AD for
>>>> authentication.
>>>> On Oct 19, 2012, at 10:46 AM, Nicholas F Miller <nicholas.miller at Colorado.EDU> wrote:
>>>>> DDNS record scavenging is the only feature I'm aware of that MS DNS has
>>>>> that Bind doesn't .  On the flip side, ISC Bind can ACL who can add
>>>>> certain record types to a dynamic zone using GSS-TSIG as well as
>>>>> supports views and ACLs for recursion.  Everything else should be
>>>>> standard DNS.
>> isn't the client self-registration the reason why scavenging is needed?
> Scavenging is a concern but we didn't have much choice. Our AD is only one of many subdomains and our DHCP spans all of them. If we used DHCP for DDNS records we wouldn't be guaranteed unique names. By limiting DDNS to just the AD we are guaranteed unique names. We only needed DDNS in our AD so it made the most sense to use GSS-TSIG.
>
> A dirty way to scavenge 'A' or 'AAAA' records is to compare the records in your DDNS zone to all of the existing computer objects in your AD. If an 'A' or 'AAAA' record is in your zone but no computer object matches it in the AD it can be assumed to be orphaned. Ldapsearch is a good tool to query the AD for computer objects.
>
Why do you feel the need to register clients in your AD domain at all? 
We register our clients outside of the AD domain via the DHCP server; 
our AD domain only contains resource records that are actually relevant 
to AD (i.e. over 92% of the records in the zone are SRV records).

                     - Kevin



More information about the bind-users mailing list