Mixed environments: DHCP Secure Update

Simon Hobson dhcp1 at thehobsons.co.uk
Wed Mar 21 18:28:09 UTC 2007


Michele Vetturi wrote:

>Now my question: we are going to renew our network and the Active
>Directory environment. I'm talking about 500 desktops, 50 servers, 20
>virtual servers... So, a tedious job!
>
>I'm very interested in migrating some core service from Windows OS to
>Linux, and I'm studying how to deploy a Linux DHCP Server (ISC DHCP3)
>with SECURE Dynamic Update toward a Windows DNS service.
>
>I opted for the Windows DNS because the staff who will manage this
>service, but me, prefer a Windows GUI Management Console instead of
>BIND zone files.
>
>And for DHCP, I see that the ISC implementation allow me doing a lot
>more tricks.
>
>Now, I think I'm right when I say that Windows DNS accepts dynamic
>updates only if clients support GSS-TSIG algorithm... and ISC DHCP
>does not.

Correct, ISC DHCP and Windows DNS cannot do secure updates because 
Microsoft won't reveal the key algorithm.

I believe what some people do is have Bind handle their main zones 
(the ones that the DHCP server wants to update), but delegate the 
subdomains used by active directory to the Windows server so that it 
(and it's clients) can do what it wants in them. I think there are 
something like six _<something>.domain.com subdomains used by Active 
Directory - you should find something in the list archives about it.


More information about the dhcp-users mailing list