enabling internal DNS

[Daniele Dario]

Hi Kai,

On Mon, 2012-09-17 at 09:53 +0200, Kai Blin wrote:
> On 2012-09-17 09:19, Daniele Dario wrote:
> 
> Hi Daniele,
> 
> > I've seen during last days many discussions about enabling the internal
> > DNS and found that the "procedure" to follow on a already provisioned
> > system working with bind9+dlz should be to add in smb.conf
> 
> If you already have a working bind-dlz setup, you're not necessarily the
> target audience. Our main aim is to save people the hassle of setting up
> bind-dlz in the first place.
> 
> If you want to keep running bind-dlz, all you need to add is
> 
> server services = -dns
> 
> If you want to run with the internal DNS anyway, I suggest the following:
> 
> dns forwarder = <your forwarder ip>
> 
> And that's it. Unless you really want to allow nonsecure updates. If
> that's the case, you could have been running with the internal server
> for a year already, so I think that's an unlikely scenario.
> 
> Oh, and currently the internal DNS server doesn't listen on the loopback
> interface, so make sure /etc/resolv.conf points to the actual IP address
> of your DC.
> 
> > interfaces = w.x.y.x
> > dns forwarder = a.b.c.d
> > allow dns updates = nonsecure and secure
> 
> I know this was recently proposed on the mailing list, but I don't think
> this is a good idea at all. Allowing nonsecure updates is the best way
> of getting into all sorts of trouble if you can't absolutely trust your
> network.
> 
> I've gone through a lot of trouble to save people from having to take
> risks like that, and I'm not too happy to see people recommend the
> nonsecure update path now that we have better options.
> 
> Cheers,
> Kai
> 

thanks for the tips.

Can you please confirm that there are no problems running internal DNS
on one DC and keep using bind9+dlz on the other (until I update also
that at least to RC1)?

Thanks for your patience,
Daniele.