On Oct 24, 2012, at 7:12 AM, Matus UHLAR - fantomas wrote:

>> We use Bind for all DNS including DDNS for our AD. We use GSS-TSIG to
>> control what record types and machines can make dynamic updates to our AD
>> zone.  We use ISC's DHCP but don't allow it to do DNS updates since we use
>> GSS-TSIG at the client level instead. 
> 
> For me to understand: do your clients use GSS-TSIG to update temselves
> instead of DHCP server doing the same?

That is correct.

> 
>> On Oct 22, 2012, at 11:36 AM, Aaron Thompson wrote:
>>> Are you using AD or Bind for DNS/DHCP?  I'm assuming your using AD for
>>> authentication.
> 
>>> On Oct 19, 2012, at 10:46 AM, Nicholas F Miller 
>>> <nicholas.mil...@colorado.edu> wrote:
>>>> DDNS record scavenging is the only feature I'm aware of that MS DNS has
>>>> that Bind doesn't .  On the flip side, ISC Bind can ACL who can add
>>>> certain record types to a dynamic zone using GSS-TSIG as well as
>>>> supports views and ACLs for recursion.  Everything else should be
>>>> standard DNS.
> 
> isn't the client self-registration the reason why scavenging is needed?

Scavenging is a concern but we didn't have much choice. Our AD is only one of 
many subdomains and our DHCP spans all of them. If we used DHCP for DDNS 
records we wouldn't be guaranteed unique names. By limiting DDNS to just the AD 
we are guaranteed unique names. We only needed DDNS in our AD so it made the 
most sense to use GSS-TSIG.

A dirty way to scavenge 'A' or 'AAAA' records is to compare the records in your 
DDNS zone to all of the existing computer objects in your AD. If an 'A' or 
'AAAA' record is in your zone but no computer object matches it in the AD it 
can be assumed to be orphaned. Ldapsearch is a good tool to query the AD for 
computer objects.

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to