Educause Security Discussion mailing list archives
Re: It's all in a Domain Name
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Thu, 18 Mar 2010 09:36:55 -0700
On 03/18/10 06:42, Valdis Kletnieks wrote:
We ended up using<dept>.vt.edu as our main DNS structure, and then parking the AD address space at<dept>.w2k.vt.edu, mostly because at the time we deployed AD, the people managing our production DNS weren't thrilled with the idea of AD's dynamic updating, especially with trying to sync our off-campus DNS secondaries, which are run by somebody else.
This is still an issue, IMO. In most implementations, to allow dynamic updates, the *entire* DNS zone (and therefore the domain) must be dynamic. Not only are there clear security implications, but it changes the way you manage *all* of your DNS (unless you already do dynamic updates for everything). For this reason (and the variety of issues with .local as already described), using a subdomain of your regular domain (i.e. option #2 in the original question) is usually the best option. The synchronization issue is less of a problem now that BIND has a way of working around AD's goofy serial number problem. I think AD may have even fixed that problem by now. michael
Current thread:
- It's all in a Domain Name John Kaftan (Mar 18)
- <Possible follow-ups>
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name Matthew Gracie (Mar 18)
- Re: It's all in a Domain Name Valdis Kletnieks (Mar 18)
- Re: It's all in a Domain Name Kenneth Arnold (Mar 18)
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name John Kristoff (Mar 18)
- Re: It's all in a Domain Name Michael Sinatra (Mar 18)