Educause Security Discussion mailing list archives

Re: It's all in a Domain Name

From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Thu, 18 Mar 2010 09:36:55 -0700

On 03/18/10 06:42, Valdis Kletnieks wrote:

We ended up using<dept>.vt.edu as our main DNS structure, and then parking
the AD address space at<dept>.w2k.vt.edu, mostly because at the time we
deployed AD, the people managing our production DNS weren't thrilled with
the idea of AD's dynamic updating, especially with trying to sync our
off-campus DNS secondaries, which are run by somebody else.


This is still an issue, IMO.  In most implementations, to allow dynamic
updates, the *entire* DNS zone (and therefore the domain) must be
dynamic.  Not only are there clear security implications, but it changes
the way you manage *all* of your DNS (unless you already do dynamic
updates for everything).  For this reason (and the variety of issues
with .local as already described), using a subdomain of your regular
domain (i.e. option #2 in the original question) is usually the best option.

The synchronization issue is less of a problem now that BIND has a way
of working around AD's goofy serial number problem.  I think AD may have
even fixed that problem by now.

michael

Current thread:

It's all in a Domain Name John Kaftan (Mar 18)
- <Possible follow-ups>
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name Matthew Gracie (Mar 18)
- Re: It's all in a Domain Name Valdis Kletnieks (Mar 18)
- Re: It's all in a Domain Name Kenneth Arnold (Mar 18)
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name John Kristoff (Mar 18)
- Re: It's all in a Domain Name Michael Sinatra (Mar 18)