On Mon, 2011-06-13 at 11:16 +1000, Matthew Palmer wrote:
Why were you letting such ill-configured clients register themselves in your DNS?
Some environments have a lot of control over individual hosts, and perhaps for such an environment, allowing hosts to register themselves would not be a problem. In our environment, we had little control over individual hosts, so centralising their registration through DHCP servers was a much more effective way to do things, for all the reasons I gave.
And then there were the clients. [...] Ibid.
Matthew, did you read my message? This was the *point*. We had lots of poorly configured hosts, over which we could exercise little control. Faced with that situation, and seeing how poorly the hosts performed when allowed to (attempt to) register themselves in the DNS, we decided instead to allow DDNS only from our DHCP servers. That worked very well for us - especially as the vast majority of the hosts connected to our network didn't really need DNS names anyway. When a poorly configured host that did need a name failed to register itself, the owner/administrator of that host would eventually come to us, so the problem was sort of self-correcting.
But if I come to roadwarrior in your network, I'd have to allow updates from your DHCP server, and your DHCP server would have to be sending those updates. Similarly, if your clients go roadwarrioring elsewhere, the same (or, rather, inverse) configuration would have to be done there.
Yes, that would be true for any roadwarrior needing/wanting a DNS entry. But in our environment, we didn't have roadwarriors (at least none that needed DNS entries), so it wasn't a problem. If faced with that (and depending on the scale of the problem) I'd probably set up some sort of TSIG key distribution system and let the roadwarriors self-register... dunno. Not a problem I've personally had to solve.
If you've just got a single-location, never-goes-anywhere network and client list, sure you can just get the DHCP server to do the registration. But if you've got that setup, DDNS isn't needed at all -- your set of hosts, addresses, and names is fixed sufficiently that you can just statically allocate everything.
Noooooo! Statically allocating everything in a network where there are 200-1000 DHCP and DNS-related changes every day? No way! While we had a negligible number of "road warriors" - people outside their enterprise networks getting address service from us or our people outside our enterprise network getting address service from others - we had PLENTY of churn inside our enterprise. People moving laptops from subnet to subnet, or moving labs or departments or other groupings around. There were still huge benefits to be had from an automated system. DHCP with DDNS is a great system. Of course it has limitations; I just wanted to point out its strengths. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156