kerberos dynamic DNS and the internal DNS server

Kai Blin kai at
Wed Dec 28 04:45:10 MST 2011

On 2011-12-28 09:43, Helmut Hullen wrote:

Hi Helmut,

> Just for curiosity: many months ago I asked for using "dnsmasq"
> instead of "ISC bind" as nameserver, and I was told that there was
> no planning for using another (external) nameserver than "bind". My
> heart doesn't belong to "dnsmasq" - I only need a simple
> nameserver, and "bind" isn't simple.

I've actually looked at extending dnsmasq to support the Active
Directory back-end before deciding to implement a DNS server in Samba.
However, after talking to the dnsmasq maintainer, it was clear that
upstream was not interested in the feature. Faced with the decision to
either fork dnsmasq or going for something that's more integrated with
the Samba architecture, going for a from-scratch integrated approach
was a pretty easy choice. A basic AD-backed nameserver was up and
running in a week, with < 1500 lines of code written. It took another
week to get updates working to the point we're at now. Compared to
SMB, DNS is a trivial and well-documented protocol. :)

> What about your plans for an internal nameserver?

There's two features missing from the internal DNS server that stop me
from being able to ditch BIND completely for my setup at home, and
both for me are inconveniences rather than real showstoppers. One is
GSS-TSIG signing for updates. Win7 clients really seem to want that.
XP clients work just fine for me. The second missing feature is
support for recursive DNS queries, so we can do name lookups on behalf
of clients instead of sending them to do their own lookups. However,
not supporting DNS recursion is allowed in the spec and clients deal
with it just fine.


Kai Blin
Worldforge developer
Wine developer
Samba team member

More information about the samba-technical mailing list