Discussion:
DNS can be a subdomain
Elias Pereira
2018-06-26 20:03:03 UTC
Permalink
Hello,

My external DNS can be a subdomain of my root domain?

Eg:
root domain: company.intra
external dns: named.company.intra
--
Elias Pereira
John Miller
2018-06-26 21:12:59 UTC
Permalink
Hi Elias,

Generally not. Unless .intra is a valid top-level-domain, and
company.intra is registered with the .intra registrars, your external
DNS will need to be different. And in any case, you probably want
your public Internet presence to reflect your actual company name and
be in a TLD that people are expecting to see (.com if you're a
business, .org if a non-profit, country-based TLD depending on where
you're at, etc.).

John
Post by Elias Pereira
Hello,
My external DNS can be a subdomain of my root domain?
root domain: company.intra
external dns: named.company.intra
--
Elias Pereira
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
John Miller
Senior Systems Engineer
Brandeis University ITS
***@brandeis.edu
(781) 736-4619
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Elias Pereira
2018-06-26 23:20:44 UTC
Permalink
Spammers on the bind list? Lol

@Reindl Harald
Thanks for the answer!! I'll take a look!

@John Miller
compay.intra is a example domain. :)
In our institution we have a valid domain and we belong to an educational
institution group. The institution is company.intra and that will provision
a samba4 ADDC as the primary domain. This domain will be a subdomain of
company.intra, something like, hq.company.intra, as it is the orientation
of the samba development team. We will be a DC member of this "hq" domain.

For this reason, I thought of using a subdomain as external dns, since the
samba needs to be authoritative on its own dns.

Our DC would be "str.hq.company.intra" and our dns
"ns1.named.hq.company.intra". Maybe we use glue records, as Reindl Harald
commented.
Post by John Miller
Hi Elias,
Generally not. Unless .intra is a valid top-level-domain, and
company.intra is registered with the .intra registrars, your external
DNS will need to be different. And in any case, you probably want
your public Internet presence to reflect your actual company name and
be in a TLD that people are expecting to see (.com if you're a
business, .org if a non-profit, country-based TLD depending on where
you're at, etc.).
John
Post by Elias Pereira
Hello,
My external DNS can be a subdomain of my root domain?
root domain: company.intra
external dns: named.company.intra
--
Elias Pereira
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
John Miller
Senior Systems Engineer
Brandeis University ITS
(781) 736-4619
--
Elias Pereira
Grant Taylor via bind-users
2018-06-26 23:36:56 UTC
Permalink
since the samba needs to be authoritative on its own dns.
Is that truly a requirement?

I've not messed with AD on Samba. But I know that Windows servers just
need the ability to update DNS. They do not need to be authoritative
for it.

Is this not the same with Samba? Is there something specific about
Samba that does require it to be authoritative for the zone?
--
Grant. . . .
unix || die
Elias Pereira
2018-06-27 00:21:22 UTC
Permalink
Post by Grant Taylor via bind-users
Is that truly a requirement?
Is this not the same with Samba? Is there something specific about
Samba that does require it to be authoritative for the zone?
yes. :)

https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters

But I know that Windows servers just
Post by Grant Taylor via bind-users
need the ability to update DNS. They do not need to be authoritative
for it.
How would this work in the scenario I described above?

On Tue, Jun 26, 2018 at 8:37 PM Grant Taylor via bind-users <
Post by Grant Taylor via bind-users
since the samba needs to be authoritative on its own dns.
Is that truly a requirement?
I've not messed with AD on Samba. But I know that Windows servers just
need the ability to update DNS. They do not need to be authoritative
for it.
Is this not the same with Samba? Is there something specific about
Samba that does require it to be authoritative for the zone?
--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Elias Pereira
Grant Taylor via bind-users
2018-06-27 04:15:14 UTC
Permalink
Post by Elias Pereira
yes. :)
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters
Hum.

After reading that section of the page you linked to, I'm not convinced
that the DNS /must/ be on the Samba server.
Post by Elias Pereira
How would this work in the scenario I described above?
I completely agree with the referenced section in that AD clients and
servers absolutely MUST use the same DNS zone and server(s). (Servers
plural for master ~> slave replication of the same zone.)

However, nothing about Microsoft AD servers requires that the DNS zone
be hosted /on/ or /by/ the AD DC. It is /completely/ possible to host
the AD DNS zone on any DNS server. There are two caveats that
absolutely MUST be met.

1) All AD clients need to be able to query the same view of the DNS
zone. (Replication across servers is perfectly fine.)

2) AD DNS records must be added to said DNS zone.

It is completely possible to use a BIND DNS server to host an AD DNS
zone. You don't even need to allow dynamic updates. It's possible to
manually add the resource records (all 30 ~ 50 of them for a basic AD
forest) to the DNS zone on a BIND server by hand. AD will work
perfectly fine and have not care where the DNS zone is hosted.

It's more convenient to allow the server (?) service to dynamically
create the necessary resource records via dynamic updates.

It is also convenient to run DNS on an AD DC that is also a DNS server.
The integration makes things simple and usually works.

Seeing how Microsoft AD servers are perfectly happy to have the DNS zone
hosted on other servers, I wondered if Samba AD servers are equally happy.

Aside: (I'm fairly certain that) it is possible to integrate Kerberos
based authentication for AD clients to update their own DNS resource
records on BIND. Jan-Piet Mens has a blog article on how to do it.
--
Grant. . . .
unix || die
Mark Andrews
2018-06-27 04:21:56 UTC
Permalink
And if you are not using AD you can use SIG(0) and KEY records
to allow hosts to authenticate updates to the DNS for their own
records.

Instead of registering a host with AD you add a KEY record into
the DNS which has the public key of the host which is to be used
to sign the UPDATE requests. Unfortunately OS developers have
been asleep at the wheel by not adding support for this to their
products.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Grant Taylor via bind-users
2018-06-27 04:35:22 UTC
Permalink
And if you are not using AD you can use SIG(0) and KEY records to allow
hosts to authenticate updates to the DNS for their own records.
I'm not quite following. Do you mean that you can allow hosts to update
their own RRs without requiring AD and using SIG(0) as an alternative?

Or are you saying forego AD (and Kerberos) and use SIG(0) instead?

#confused
Instead of registering a host with AD you add a KEY record into the DNS
which has the public key of the host which is to be used to sign the
UPDATE requests.
If you're using AD for (presumably) Windows networking (and all that
entails) you very likely want the workstations to be registered with AD.
The machine trust accounts are pertinent to AD's operation and the
workstation's ability to access AD resources when users aren't logged in.

#stillConfused
Unfortunately OS developers have been asleep at the wheel by not adding
support for this to their products.
I'm seeing more and more references to SIG(0) in the last couple of
weeks. I think I need to refresh myself on it.
--
Grant. . . .
unix || die
Elias Pereira
2018-06-27 11:37:16 UTC
Permalink
@all

I still do not see any relevant point that will take the DNS authority
leaving the AD and do something to resolve your queries. As the wiki says,
security is essential and you do not have to risk it and let the data be
compromised.

And remember, I'm at an education institute with courses in computer
science and information security. There will always be some "smart guys"
who will try to do something illegal.

I will run some tests with dns as a subdomain and I will come back here to
give you a feedback.

Thank you for now!



On Wed, Jun 27, 2018 at 1:35 AM Grant Taylor via bind-users <
Post by Grant Taylor via bind-users
And if you are not using AD you can use SIG(0) and KEY records to allow
hosts to authenticate updates to the DNS for their own records.
I'm not quite following. Do you mean that you can allow hosts to update
their own RRs without requiring AD and using SIG(0) as an alternative?
Or are you saying forego AD (and Kerberos) and use SIG(0) instead?
#confused
Instead of registering a host with AD you add a KEY record into the DNS
which has the public key of the host which is to be used to sign the
UPDATE requests.
If you're using AD for (presumably) Windows networking (and all that
entails) you very likely want the workstations to be registered with AD.
The machine trust accounts are pertinent to AD's operation and the
workstation's ability to access AD resources when users aren't logged in.
#stillConfused
Unfortunately OS developers have been asleep at the wheel by not adding
support for this to their products.
I'm seeing more and more references to SIG(0) in the last couple of
weeks. I think I need to refresh myself on it.
--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Elias Pereira
Darcy Kevin (FCA)
2018-06-27 21:41:14 UTC
Permalink
Domain Controllers certainly need to have their hostnames registered in the AD domain, but regular domain-joined members do *not*. We've been running AD for decades, without registering members in the AD domain. Works fine. Instead, we get our (non-Microsoft) DHCP servers to register dynamic clients automatically in a vendor-agnostic zone hosted on BIND (actually, Infoblox running modified BIND under the covers), and servers, whether Windows or not, get manually registered in various vendor-agnostic zones. The only hostnames in our AD domain are the Domain Controllers, and those hostnames are redundant with what exists in the vendor-agnostic zones. The reverse records point back to the vendor-agnostic-zone names.

Microsoft calls this architecture a "disjoint namespace", which is slightly derogatory. According to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace, disjoint namespaces are "more complex" (which is rich, coming from Microsoft, inventor of aging, scavenging and "tombstone records" for their DNS) and cites various caveats and disadvantages. But it's fully supported. I just had a word with one of our AD experts, and he reminded me that, with a disjoint namespace, you need to take some care to define the "disjointed" namespaces as being authorized for SPN generation (we did that a long time ago, and I had forgotten that step). But that's one of the few "gotchas" associated with disjoint namespaces.

- Kevin

-----Original Message-----
From: bind-users <bind-users-***@lists.isc.org> On Behalf Of Grant Taylor via bind-users
Sent: Wednesday, June 27, 2018 12:35 AM
To: bind-***@lists.isc.org
Subject: Re: DNS can be a subdomain
And if you are not using AD you can use SIG(0) and KEY records to
allow hosts to authenticate updates to the DNS for their own records.
I'm not quite following. Do you mean that you can allow hosts to update their own RRs without requiring AD and using SIG(0) as an alternative?

Or are you saying forego AD (and Kerberos) and use SIG(0) instead?

#confused
Instead of registering a host with AD you add a KEY record into the
DNS which has the public key of the host which is to be used to sign
the UPDATE requests.
If you're using AD for (presumably) Windows networking (and all that
entails) you very likely want the workstations to be registered with AD.
The machine trust accounts are pertinent to AD's operation and the workstation's ability to access AD resources when users aren't logged in.

#stillConfused
Unfortunately OS developers have been asleep at the wheel by not
adding support for this to their products.
I'm seeing more and more references to SIG(0) in the last couple of weeks. I think I need to refresh myself on it.
--
Grant. . . .
unix || die

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Grant Taylor via bind-users
2018-06-28 03:11:45 UTC
Permalink
I think we may be talking past each other. I was referring to (client) machine trust accounts inside of AD, not hostnames in DNS.

I now think you are referring to the latter. I can see how that can work.
--
Grant. . . .
unix || die
Bob McDonald
2018-06-27 14:24:48 UTC
Permalink
Hmmm... My understanding was that the only requirement was that the DNS
server pointed to by the AD DC (in this case the AD is managed by SAMBA)
had to be authoritative for the domain in DNS which represented the
matching AD domain. This was a common holy war between MCSE folks and Bind
groupies. If you drank the Microsoft cool aid in the early days, you
staunchly believed that DNS had to be AD integrated on the AD DCs. That's
just not the case.

Again that's my understanding.

Bob
Continue reading on narkive:
Loading...