DNS can be a subdomain

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Wed Jun 27 21:41:14 UTC 2018

Domain Controllers certainly need to have their hostnames registered in the AD domain, but regular domain-joined members do *not*. We've been running AD for decades, without registering members in the AD domain. Works fine. Instead, we get our (non-Microsoft) DHCP servers to register dynamic clients automatically in a vendor-agnostic zone hosted on BIND (actually, Infoblox running modified BIND under the covers), and servers, whether Windows or not, get manually registered in various vendor-agnostic zones. The only hostnames in our AD domain are the Domain Controllers, and those hostnames are redundant with what exists in the vendor-agnostic zones. The reverse records point back to the vendor-agnostic-zone names.

Microsoft calls this architecture a "disjoint namespace", which is slightly derogatory. According to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace, disjoint namespaces are "more complex" (which is rich, coming from Microsoft, inventor of aging, scavenging and "tombstone records" for their DNS) and cites various caveats and disadvantages. But it's fully supported. I just had a word with one of our AD experts, and he reminded me that, with a disjoint namespace, you need to take some care to define the "disjointed" namespaces as being authorized for SPN generation (we did that a long time ago, and I had forgotten that step). But that's one of the few "gotchas" associated with disjoint namespaces.

															- Kevin

-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Grant Taylor via bind-users
Sent: Wednesday, June 27, 2018 12:35 AM
To: bind-users at lists.isc.org
Subject: Re: DNS can be a subdomain

On 06/26/2018 10:21 PM, Mark Andrews wrote:
> And if you are not using AD you can use SIG(0) and KEY records to 
> allow hosts to authenticate updates to the DNS for their own records.

I'm not quite following.  Do you mean that you can allow hosts to update their own RRs without requiring AD and using SIG(0) as an alternative?

Or are you saying forego AD (and Kerberos) and use SIG(0) instead?


> Instead of registering a host with AD you add a KEY record into the 
> DNS which has the public key of the host which is to be used to sign 
> the UPDATE requests.

If you're using AD for (presumably) Windows networking (and all that
entails) you very likely want the workstations to be registered with AD. 
  The machine trust accounts are pertinent to AD's operation and the workstation's ability to access AD resources when users aren't logged in.


> Unfortunately OS developers have been asleep at the wheel by not 
> adding support for this to their products.

I'm seeing more and more references to SIG(0) in the last couple of weeks.  I think I need to refresh myself on it.

Grant. . . .
unix || die

More information about the bind-users mailing list