Phil Regnauld wrote:
Darren Pilgrim (nanog) writes:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Bunk. At work we have a network of ~1500 computers with over 600 of
Tom Mikelson wrote: them running Windows. Our nameservers are all BIND, which have dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs. The DCs have no problem creating, updating and deleting the various RR's they use to publish the domain. The Systems team folks will see errors/warnings in the Windows logs because the Windows machines are unable to set up secure connections to the nameservers and due to an implementation difference between what BIND accepts and what Microsoft's OSes send; but in practice these seem to be little more than noise.
Agreed. What about dynamic updates of the client ? It's usually not a problem in this direction (Windows client -> BIND DNS), but as you say it won't be secure (GSS-TSIG).
Yes, Windows logs on all 600+ machines have warnings about insecure DNS updates, but they still update. There's effort to delegate the DS subdomain to the DCs just to get rid of the thousands-per-day nonsense.