[Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)

Charles Tryon charles.tryon at gmail.com
Tue Mar 20 12:20:20 MDT 2012 

Hi Andreas,

  Yes, I did a lot of work trying to get that script working (along with a
bunch of other people on that discussion thread).  I have it mostly
functional, but have largely backed away from that approach, since it runs
against what appears to be the more accepted policy of letting the machines
(in particular, the Windows machines) do their own secure update of the DNS
records.  The unfortunate part is that the Linux clients don't seem to have
a way to do this by default.  I have no idea how the Mac machines handle
their DNS once they get a DHCP response.  Servers, which mostly use static
IP assignments, are a moot point, since I can just manually create the DNS
records and be done with it.

  The issue is the fact that DNS remembers "who" created (owns) the DNS
record, and based on that ownership, who it will allow to change it.  If it
is created by some dhcpd initiated transaction, then the Windows client
itself is not allowed to update the record in the future.

  My feeling at this point is to try to follow the Windows Way for the time
being (since that's the bulk of the machines on the network), and handle
the few Linux clients (oddballs like myself) as special cases.  We also use
DHCP reservations based on the machine's MAC address, so largely it's a
non-issue.  (Or, at least I've got bigger fish to fry first before I go
back and make sure the DHCP/DLZ behavior is tidy.)



On Sun, Mar 18, 2012 at 3:38 AM, Andreas Oster <aoster at novanetwork.de>wrote:

> Am 17.03.2012 21:06, schrieb Matthieu Patou:
> > On 03/17/2012 10:00 AM, Andreas Oster wrote:
> >> Hello all,
> >>
> >> I have set up a samba4 server with bind9 and the bind_dlz module.
> >> Everything is working as it should but now I need to allow the dhcp
> >> server to add entries to the forwarding zone. Has anybody implemented
> >> such a configuration ? Can this be done with the kerberos DNS dynamic
> >> update configuration.
> > I had it working with flat file backend.
> > I think that the way dhcp and bind do their DDNS is different form the
> > way windows do it's DDNS, as far as I know dlz_plugin only support the
> > later one so far.
> >
> >> I want to achieve the following:
> >>
> >> 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd
> >> 2) allow Windows machines (joined to AD) to update their own entries
> >>
> >> 2 - already works with the configuration from samba wiki
> >>
> > I put our DNS experts in direct copy maybe then can advise you better
> > than I.
> >
> Hello Mattieu,
>
> thank you for you answer. I searched the web allot, but the
> only useful stuff I found was a script by Michael Kuron which
> has been slightly modified by Charles Tryon but I have no
> clue how to integrate this with bind9 dlz, see:
>
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
> It would be great if someone could help me with the DDNS setup.
>
> best regards
>
> Andreas
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba mailing list