kerberos dynamic DNS and the internal DNS server

Matthieu Patou mat at
Fri Dec 30 10:58:02 MST 2011

On 30/12/2011 03:43, Andrew Bartlett wrote:
> On Fri, 2011-12-30 at 11:22 +0100, Kai Blin wrote:
>> I disagree on the require part, at least for all clients, but I do agree
>> that we need support for GSS-TSIG. No arguments there. All I'm saying is
>> that I've seen setups that even under windows require people to allow
>> non-authenticated DNS updates, and I'm confident that we can give people
>> _that_ level of DNS already.
>> But I also believe that if people want to run a
>> different set-up, we should allow them too.
> If you can find the in-directory configuration directive that controls
> this, then I'm quite happy for that to control this behaviour.
It's settable in GPO:
gpmc.msc ->Default Domain Policy -> Computer -> Administrative Template 
-> Network -> DNS Client -> Update Security Level

Beside there is a need both for the bind plugin and the internal bind to 
support interim dns updates scheme that comes from a DHCP server (ie. 
ISC DHCPd). I don't exactly know how this can be handled, for the flat 
file it was quite easy as you add to define a secret key and grant the 
right to the dhcp server to modify A, AAAA, TXT and PTR records.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list