Vinny Abello wrote: >> -----Original Message----- >> From: Danny Mayer [mailto:ma...@gis.net] >> Sent: Sunday, February 08, 2009 8:32 PM >> To: Vinny Abello >> Cc: Baird, Josh; bind-users@lists.isc.org >> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices >> ForCoexisting >> >> Vinny Abello wrote: >>>> Baird, Josh wrote: >>>>> Actually, yes, if you have dynamic DNS registration enabled on the >>>> client/host and server, an 'A' record will automatically be created >> in >>>> the AD zone. >>>> It needs to be registered in the domain first. Otherwise any system >>>> could mascarade as another system. >>>> >>>> Danny >>> And they can if the administrator mistakenly allows unsecure dynamic >> updates. >> Registration of the system in ADS has nothing to do with dynamic >> updates >> of the DNS records. > > Right. We're talking about dynamic updates in DNS, not the creation > of computer accounts in AD. That was my point. If the allow dynamic updates setting is not set to secure only, anybody that can send a DDNS update to the server can update a record. >
Microsoft's implementation of dynamic DNS requires that the client use the GSS-TSIG protocol and the prerequisite for that is that the client system is registered with ADS. After that it makes use of the GUID in the GSS-TSIG protocol to register the DNS records for the system. If the system is not registered it cannot use GSS-TSIG. Danny _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
