DNS - differences between internal and Bind9?

Charles Tryon charles.tryon at gmail.com
Wed Jun 5 12:27:39 MDT 2013 

OK, this gives me a LOT more information.  Not sure it'll answer all the
questions I might get, but at least gives me a start.

One other specific capability that I was wondering about was secure DNS
updates.  The information I had from May of last year was that the internal
DNS server was not capable of handling secure updates from clients.  Has
this been fixed by now?  I don't see it mentioned above one way or the
other, though it sounds from the Wiki page that it is working (even if it
produces error messages).

(Yes, the Wiki page does give a lot of other useful information too.  I'll
make sure to include that in my presentation!)

Thanks!




On Tue, Jun 4, 2013 at 8:12 AM, Kai Blin <kai at samba.org> wrote:

> On 03/06/13 23:44, Marc Muehlfeld wrote:
>
>  The internal DNS
>> - automatically installed and used by default. No additional work
>> neccessary.
>> - New (what doesn't mean it's bad)
>> - currently have problems with MX queries (but already fixed in master)
>>
>
> There's a bunch of other bug fixes coming into the next bug fix release as
> well, master should be fine already.
>
>  Bind DLZ
>>
>
> Marc is mainly talking about the BIND server an not about the DLZ plugin a
> lot. Let me highlight some of the differences here.
>
>
>  - tried and tested for many years on huge environments
>>
>
> True for Bind, the DLZ module is about as old as the internal DNS server.
>
>
>  - Bugs in the DLZ implementation (how it is hooked into Bind), have to
>> be fixed by ISC (so bug fixing can be delayed)
>> - Zone transfers from/to defined hosts supported
>> - Needs to be reloaded, when adding/deleting a zone in AD.
>>
>
>  - Existing Bind installations can be continued to use (even if they
>> aren't integrated in Samba and can't be managed with the windows tools)
>>
>
> If your Bind is in the correct version. Also, Bind needs to be running on
> the same file system as the AD DC, because the DLZ module uses hard links
> to the sam.ldb to gateway access to the SAM database.
>
>
>  - Redirecting dedicated zones to defined other name servers
>> - High scalable and tested on high-load systems
>>
>
> True for Bind, unknown/untested for the DLZ module.
>
>
>  - Incremental zone transfers
>> - Can be bind to different interfaces, than just the ones samba is
>> listening on (e. g. bind listen on eth0+eth1, samba only on eth0).
>>
>
> But of course this mostly makes sense if the box is your main DNS server
> that also is accessible from the internet. And as Bind needs to be running
> on the same machine as your AD DC, that might not be the best set-up anyway.
>
>
>  - Additional resource types SPF or SSHFP
>>
>
> File a bug if you need any extra ressource types, it's pretty
> straightforward to add them to the internal server.
>
>
>  - Views
>> - Supports ACLs (e. g. allow/deny recursive queries by IP/ranges)
>> (Some of the listed aren't maybe possible to use by the DLZ module. But
>> you can have zones in Bind byside Samba/AD, too)
>>
>>
>> Kai, please correct me, if something from my Bind list is possible with
>> the internal DNS, too.
>>
>
> Sounds about right, I added some caveats for Bind use.
> Cheers,
> Kai
>
> --
> Kai Blin
> Worldforge developer http://www.worldforge.org/
> Wine developer http://wiki.winehq.org/KaiBlin
> Samba team member http://www.samba.org/samba/**team/<http://www.samba.org/samba/team/>
>



-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list