Re: DNS can be a subdomain
I think we may be talking past each other. I was referring to (client) machine trust accounts inside of AD, not hostnames in DNS. I now think you are referring to the latter. I can see how that can work. -- Grant. . . . unix || die smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS can be a subdomain
Domain Controllers certainly need to have their hostnames registered in the AD domain, but regular domain-joined members do *not*. We've been running AD for decades, without registering members in the AD domain. Works fine. Instead, we get our (non-Microsoft) DHCP servers to register dynamic clients automatically in a vendor-agnostic zone hosted on BIND (actually, Infoblox running modified BIND under the covers), and servers, whether Windows or not, get manually registered in various vendor-agnostic zones. The only hostnames in our AD domain are the Domain Controllers, and those hostnames are redundant with what exists in the vendor-agnostic zones. The reverse records point back to the vendor-agnostic-zone names. Microsoft calls this architecture a "disjoint namespace", which is slightly derogatory. According to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace, disjoint namespaces are "more complex" (which is rich, coming from Microsoft, inventor of aging, scavenging and "tombstone records" for their DNS) and cites various caveats and disadvantages. But it's fully supported. I just had a word with one of our AD experts, and he reminded me that, with a disjoint namespace, you need to take some care to define the "disjointed" namespaces as being authorized for SPN generation (we did that a long time ago, and I had forgotten that step). But that's one of the few "gotchas" associated with disjoint namespaces. - Kevin -Original Message- From: bind-users On Behalf Of Grant Taylor via bind-users Sent: Wednesday, June 27, 2018 12:35 AM To: bind-users@lists.isc.org Subject: Re: DNS can be a subdomain On 06/26/2018 10:21 PM, Mark Andrews wrote: > And if you are not using AD you can use SIG(0) and KEY records to > allow hosts to authenticate updates to the DNS for their own records. I'm not quite following. Do you mean that you can allow hosts to update their own RRs without requiring AD and using SIG(0) as an alternative? Or are you saying forego AD (and Kerberos) and use SIG(0) instead? #confused > Instead of registering a host with AD you add a KEY record into the > DNS which has the public key of the host which is to be used to sign > the UPDATE requests. If you're using AD for (presumably) Windows networking (and all that entails) you very likely want the workstations to be registered with AD. The machine trust accounts are pertinent to AD's operation and the workstation's ability to access AD resources when users aren't logged in. #stillConfused > Unfortunately OS developers have been asleep at the wheel by not > adding support for this to their products. I'm seeing more and more references to SIG(0) in the last couple of weeks. I think I need to refresh myself on it. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
Hmmm... My understanding was that the only requirement was that the DNS server pointed to by the AD DC (in this case the AD is managed by SAMBA) had to be authoritative for the domain in DNS which represented the matching AD domain. This was a common holy war between MCSE folks and Bind groupies. If you drank the Microsoft cool aid in the early days, you staunchly believed that DNS had to be AD integrated on the AD DCs. That's just not the case. Again that's my understanding. Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
@all I still do not see any relevant point that will take the DNS authority leaving the AD and do something to resolve your queries. As the wiki says, security is essential and you do not have to risk it and let the data be compromised. And remember, I'm at an education institute with courses in computer science and information security. There will always be some "smart guys" who will try to do something illegal. I will run some tests with dns as a subdomain and I will come back here to give you a feedback. Thank you for now! On Wed, Jun 27, 2018 at 1:35 AM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 06/26/2018 10:21 PM, Mark Andrews wrote: > > And if you are not using AD you can use SIG(0) and KEY records to allow > > hosts to authenticate updates to the DNS for their own records. > > I'm not quite following. Do you mean that you can allow hosts to update > their own RRs without requiring AD and using SIG(0) as an alternative? > > Or are you saying forego AD (and Kerberos) and use SIG(0) instead? > > #confused > > > Instead of registering a host with AD you add a KEY record into the DNS > > which has the public key of the host which is to be used to sign the > > UPDATE requests. > > If you're using AD for (presumably) Windows networking (and all that > entails) you very likely want the workstations to be registered with AD. > The machine trust accounts are pertinent to AD's operation and the > workstation's ability to access AD resources when users aren't logged in. > > #stillConfused > > > Unfortunately OS developers have been asleep at the wheel by not adding > > support for this to their products. > > I'm seeing more and more references to SIG(0) in the last couple of > weeks. I think I need to refresh myself on it. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
On 06/26/2018 10:21 PM, Mark Andrews wrote: And if you are not using AD you can use SIG(0) and KEY records to allow hosts to authenticate updates to the DNS for their own records. I'm not quite following. Do you mean that you can allow hosts to update their own RRs without requiring AD and using SIG(0) as an alternative? Or are you saying forego AD (and Kerberos) and use SIG(0) instead? #confused Instead of registering a host with AD you add a KEY record into the DNS which has the public key of the host which is to be used to sign the UPDATE requests. If you're using AD for (presumably) Windows networking (and all that entails) you very likely want the workstations to be registered with AD. The machine trust accounts are pertinent to AD's operation and the workstation's ability to access AD resources when users aren't logged in. #stillConfused Unfortunately OS developers have been asleep at the wheel by not adding support for this to their products. I'm seeing more and more references to SIG(0) in the last couple of weeks. I think I need to refresh myself on it. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
And if you are not using AD you can use SIG(0) and KEY records to allow hosts to authenticate updates to the DNS for their own records. Instead of registering a host with AD you add a KEY record into the DNS which has the public key of the host which is to be used to sign the UPDATE requests. Unfortunately OS developers have been asleep at the wheel by not adding support for this to their products. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
On 06/26/2018 06:21 PM, Elias Pereira wrote: yes. :) https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters Hum. After reading that section of the page you linked to, I'm not convinced that the DNS /must/ be on the Samba server. How would this work in the scenario I described above? I completely agree with the referenced section in that AD clients and servers absolutely MUST use the same DNS zone and server(s). (Servers plural for master ~> slave replication of the same zone.) However, nothing about Microsoft AD servers requires that the DNS zone be hosted /on/ or /by/ the AD DC. It is /completely/ possible to host the AD DNS zone on any DNS server. There are two caveats that absolutely MUST be met. 1) All AD clients need to be able to query the same view of the DNS zone. (Replication across servers is perfectly fine.) 2) AD DNS records must be added to said DNS zone. It is completely possible to use a BIND DNS server to host an AD DNS zone. You don't even need to allow dynamic updates. It's possible to manually add the resource records (all 30 ~ 50 of them for a basic AD forest) to the DNS zone on a BIND server by hand. AD will work perfectly fine and have not care where the DNS zone is hosted. It's more convenient to allow the server (?) service to dynamically create the necessary resource records via dynamic updates. It is also convenient to run DNS on an AD DC that is also a DNS server. The integration makes things simple and usually works. Seeing how Microsoft AD servers are perfectly happy to have the DNS zone hosted on other servers, I wondered if Samba AD servers are equally happy. Aside: (I'm fairly certain that) it is possible to integrate Kerberos based authentication for AD clients to update their own DNS resource records on BIND. Jan-Piet Mens has a blog article on how to do it. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
> > Is that truly a requirement? > Is this not the same with Samba? Is there something specific about > Samba that does require it to be authoritative for the zone? yes. :) https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters But I know that Windows servers just > need the ability to update DNS. They do not need to be authoritative > for it. How would this work in the scenario I described above? On Tue, Jun 26, 2018 at 8:37 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 06/26/2018 05:20 PM, Elias Pereira wrote: > > since the samba needs to be authoritative on its own dns. > > Is that truly a requirement? > > I've not messed with AD on Samba. But I know that Windows servers just > need the ability to update DNS. They do not need to be authoritative > for it. > > Is this not the same with Samba? Is there something specific about > Samba that does require it to be authoritative for the zone? > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
On 06/26/2018 05:20 PM, Elias Pereira wrote: since the samba needs to be authoritative on its own dns. Is that truly a requirement? I've not messed with AD on Samba. But I know that Windows servers just need the ability to update DNS. They do not need to be authoritative for it. Is this not the same with Samba? Is there something specific about Samba that does require it to be authoritative for the zone? -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
Spammers on the bind list? Lol @Reindl Harald Thanks for the answer!! I'll take a look! @John Miller compay.intra is a example domain. :) In our institution we have a valid domain and we belong to an educational institution group. The institution is company.intra and that will provision a samba4 ADDC as the primary domain. This domain will be a subdomain of company.intra, something like, hq.company.intra, as it is the orientation of the samba development team. We will be a DC member of this "hq" domain. For this reason, I thought of using a subdomain as external dns, since the samba needs to be authoritative on its own dns. Our DC would be "str.hq.company.intra" and our dns "ns1.named.hq.company.intra". Maybe we use glue records, as Reindl Harald commented. On Tue, Jun 26, 2018 at 6:13 PM John Miller wrote: > Hi Elias, > > Generally not. Unless .intra is a valid top-level-domain, and > company.intra is registered with the .intra registrars, your external > DNS will need to be different. And in any case, you probably want > your public Internet presence to reflect your actual company name and > be in a TLD that people are expecting to see (.com if you're a > business, .org if a non-profit, country-based TLD depending on where > you're at, etc.). > > John > > On Tue, Jun 26, 2018 at 4:03 PM, Elias Pereira wrote: > > Hello, > > > > My external DNS can be a subdomain of my root domain? > > > > Eg: > > root domain: company.intra > > external dns: named.company.intra > > > > -- > > Elias Pereira > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > -- > John Miller > Senior Systems Engineer > Brandeis University ITS > johnm...@brandeis.edu > (781) 736-4619 > -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS can be a subdomain
Hi Elias, Generally not. Unless .intra is a valid top-level-domain, and company.intra is registered with the .intra registrars, your external DNS will need to be different. And in any case, you probably want your public Internet presence to reflect your actual company name and be in a TLD that people are expecting to see (.com if you're a business, .org if a non-profit, country-based TLD depending on where you're at, etc.). John On Tue, Jun 26, 2018 at 4:03 PM, Elias Pereira wrote: > Hello, > > My external DNS can be a subdomain of my root domain? > > Eg: > root domain: company.intra > external dns: named.company.intra > > -- > Elias Pereira > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- John Miller Senior Systems Engineer Brandeis University ITS johnm...@brandeis.edu (781) 736-4619 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users