BIND 8.2.x interaction with DHCP servers
Andreas.Gustafsson at nominum.com
Tue Jun 27 16:55:01 UTC 2000
> > And I understand that you wouldn't want to retrofit BINDv8
> > with something new like DHCID. But since BINDv9 is not yet
> > production, and BINDv8 with dynamic DNS capability has been out
> > for some time now, I'm just trying to find out what that
> > existing BINDv8-supported "something" is.
> My understanding is that the few people who are doing this put
> both DHCP and BIND on the same machine, and disallow updates from
> anywhere else. This allows them to do them "relatively" securely,
> even though the protocols themselves are inherently insecure.
The problem of authenticating the dynamic update requests between DHCP
servers and DNS servers should be solved by using TSIG, which is
supported by both BIND 8 and BIND 9.
The DHCID RR is intended to solve a different problem. Its purpose is
to identify the DHCP client that requested the dynamic creation of a
given domain name, to allow the DHCP server(s) to distinguish the case
where a DHCP client requests a domain name that is already taken by
another client from the case where a client just re-requests the name
it already has. It is not a security mechanism, just a mechanism for
distributed bookkeeping among the DHCP servers.
Andreas Gustafsson, gson at nominum.com
More information about the bind-workers