Darren Pilgrim (nanog) writes:
> Tom Mikelson wrote:
> >Presently our organization utilizes BIND for DNS services, with the
> >Networking team administering. We are now being told by the Systems team
> >that they will be responsible for DNS services and that it will be changed
> >over to the Microsoft DNS service run on domain controllers. The reason
> >given is that the Active Directory implementation requires the Microsoft DNS
> >service and dynamic DNS.
>
> Bunk. At work we have a network of ~1500 computers with over 600 of
> them running Windows. Our nameservers are all BIND, which have
> dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
> The DCs have no problem creating, updating and deleting the various
> RR's they use to publish the domain. The Systems team folks will
> see errors/warnings in the Windows logs because the Windows machines
> are unable to set up secure connections to the nameservers and due
> to an implementation difference between what BIND accepts and what
> Microsoft's OSes send; but in practice these seem to be little more
> than noise.
Agreed. What about dynamic updates of the client ? It's usually not
a problem in this direction (Windows client -> BIND DNS), but as you
say it won't be secure (GSS-TSIG).
Cheers,
Phil
