samba - Jan 2014 - The need for Kerberos dynamic DNS updates

The "Dns-backend bind" page on the wiki recommends that you set up DNS
dynamic updates via Kerberos.  My understanding is that if you select
BIND9_DLZ that the DNS zone data is stored in the directory.  I would
assume that in this case the normal directly replication would take care of
moving DNS changes to all AD DCs.  If this is correct, it would seem that
there would be no need for a DNS-specific update mechanism.

Is there something that I have misunderstood?

Doug

On Thu, 2014-01-09 at 21:08 -0400, Doug Meredith wrote:
> The "Dns-backend bind" page on the wiki recommends that you set
up DNS
> dynamic updates via Kerberos.  My understanding is that if you select
> BIND9_DLZ that the DNS zone data is stored in the directory.  I would
> assume that in this case the normal directly replication would take care of
> moving DNS changes to all AD DCs.  If this is correct, it would seem that
> there would be no need for a DNS-specific update mechanism.
> 
> Is there something that I have misunderstood?
Samba as nn AD DC updates itself via Kerberos GSS-TSIG.  Part of why we
do this is that this is how Microsoft's AD does it, and the rest is
because that way we don't have a different code path compared to what
domain members do, which is also Kerberos GSS-TSIG, just of less
records.

Also, while not encouraged for Samba deployments, not every AD DC has to
be a DNS server, so we need to be able to update the DNS server on
another potentially Microsoft AD DC.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba