samba - Feb 2015 - specify alternative port for samba internal dns server

Whoops - sorry for responding to you directly rather than via the list -- I
only use gmail for extremely high-volume mailing lists, and usually that's
just to skim-read them -- so I don't know the gmail web-ui very well (and
it seems to change all the time) -- apologies.  (Also i have no idea how to
not top-post with gmail ...  I'll figure that out for next time)

You seem to have strong opinions regarding the default port for the dns
server - I disagree with you but I'm not going to try to change your deeply
held beliefs.

While expressing your opinions earlier in the thread, the idea was raised
that it is somehow _REQUIRED_ for clients to use the samba internal dns
directly rather than receive dns responses via an intermediary dns server
-- can someone confirm whether or not this is the case?

On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
> On 26/02/15 23:39, Ben Cohen wrote:
>
>> Please stop making the assumption that I don't have different
problems
>> than you...
>>
>> I support IT environments that are connected via incredibly slow
internet
>> links -- user clients CANNOT use something other than my dns server as
>> their dns resolver -- I have to implement logic which controls all
internet
>> access, including dns resolution, on a per user basis per-byte basis --
if
>> I put another dns server in-between me and the network clients, I lose
the
>> information by which my dns forwarding-resolver can make the identify
>> determination.  Perhaps you have some way of passing forward the
identity
>> information regarding which client is making the dns request in a way
that
>> my network-access-control appliance understands -- oh, right no you
don't
>> do you?
>>
>> In my testing my approach seems to work the way I want to do things --
>> two servers, one with dnsmasq, one with samba internal dns.  Clients
point
>> at my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is this not
>> appropriate for some reason?  How does this go against the 'ad'
way? As far
>> as I can tell there is absolutely nothing wrong with this architecture
...
>> why should the clients need to talk to the samba dns directly rather
than
>> via my intermediary -- is that actually required?  Its my impression
that
>> my campus network doesn't do this with normal active directory -- I
believe
>> they run BIND and queries for ad.foo.com <http://ad.foo.com> are
>> resolved via authoritative AD dns servers running on windows server ...
>> Isn't that the normal way?
>>
>> The reason I want to run the samba4 dns on a different port than the
>> default is to avoid having to run an additional OS -- my environments
are
>> very expensive to put equipment in, reducing the hardware and OS count
is
>> desirable, particularly where there is not a good reason that something
>> needs to have its own OS instance ...
>>
>> It seems you reference a straw-man desire to customize the ldap server
>> port in order to evoke some history of problems surrounding people
trying
>> to use services that don't work with the AD model within samba.  In
fact my
>> GOAL is exactly the opposite -- I WANT to USE the samba integrated dns
in
>> order to avoid having any issues with the required set of magic AD dns
>> behaviours -- rather than trying to hack those required dns behaviours
into
>> my existing dns configuration ...
>>
>> I appreciate your thoughts and if my suggested approach (with two
>> servers) truly isn't going to work, it would be huge if you or
someone else
>> could tell me and give a lot insight why ... because my plan even with
a
>> *NO* on the ability to change the port that samba-dns listens on, is to
use
>> two servers as described above ...  If that's not gonna work for
some
>> reason it'd be awesome to find out now ...
>>
>> Thanks,
>>
>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
>> rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>> wrote:
>>
>>     On 26/02/15 22:58, Ben Cohen wrote:
>>
>>         My goal is for the samba dns server to be authoritative for
>>         'ad.mydomain.com <http://ad.mydomain.com>
>>         <http://ad.mydomain.com>' but not for mydomain.com
>>         <http://mydomain.com> <http://mydomain.com>. The
dns server
>>         that the clients in my domain use is statically configured to
>>         resolve all requests for ad.mydomain.com
>>         <http://ad.mydomain.com> <http://ad.mydomain.com>
via the
>>         samba internal dns -- I believe this is exactly what is
>>         required for samba to function ...  Is this incorrect somehow?
>>
>>
>>     You should point your domain members to the DC, if the record the
>>     client requires is inside the AD domain, the DC will return
>>     answer, if it doesn't know, it will forward the request to
>>     whatever you have set as the forwarder.
>>
>>
>>         A whole bunch of other samba services can listen on other than
>>         the default service port through configuration options ...
>>  Why should the dns service uniquely deserve an all-caps *NO*
>>         with regard to this configurability?
>>
>>
>>     You could always try and alter the ldap port that samba4 listens
>>     on, oh sorry, you cannot change that either can you.
>>
>>     Please stop trying to bend AD to your way of working.
>>
>>
>>     Rowland
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> Please stop sending emails directly to me, keep it on list.
>
> If you are struggling with resources, you could run another OS inside a VM
> and point the samba forwarder to a DNS server running on the OS in the VM.
>
> Would you try and circumvent the way a windows server works, I do not
> think so and as samba4 AD works exactly the same as windows AD, you
> shouldn't try to change the way it works.
>
> Note that this is the last I will have to say on this subject.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 02/26/2015 04:10 PM, Ben Cohen wrote:
> Whoops - sorry for responding to you directly rather than via the list -- I
> only use gmail for extremely high-volume mailing lists, and usually
that's
> just to skim-read them -- so I don't know the gmail web-ui very well
(and
> it seems to change all the time) -- apologies.  (Also i have no idea how to
> not top-post with gmail ...  I'll figure that out for next time)
> 
> You seem to have strong opinions regarding the default port for the dns
> server - I disagree with you but I'm not going to try to change your
deeply
> held beliefs.
> 
> While expressing your opinions earlier in the thread, the idea was raised
> that it is somehow _REQUIRED_ for clients to use the samba internal dns
> directly rather than receive dns responses via an intermediary dns server
> -- can someone confirm whether or not this is the case?
> 
> On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlandpenny at
googlemail.com>
> wrote:
> 
>> On 26/02/15 23:39, Ben Cohen wrote:
>>
>>> Please stop making the assumption that I don't have different
problems
>>> than you...
>>>
>>> I support IT environments that are connected via incredibly slow
internet
>>> links -- user clients CANNOT use something other than my dns server
as
>>> their dns resolver -- I have to implement logic which controls all
internet
>>> access, including dns resolution, on a per user basis per-byte
basis -- if
>>> I put another dns server in-between me and the network clients, I
lose the
>>> information by which my dns forwarding-resolver can make the
identify
>>> determination.  Perhaps you have some way of passing forward the
identity
>>> information regarding which client is making the dns request in a
way that
>>> my network-access-control appliance understands -- oh, right no you
don't
>>> do you?
>>>
>>> In my testing my approach seems to work the way I want to do things
--
>>> two servers, one with dnsmasq, one with samba internal dns. 
Clients point
>>> at my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is this
not
>>> appropriate for some reason?  How does this go against the
'ad' way? As far
>>> as I can tell there is absolutely nothing wrong with this
architecture ...
>>> why should the clients need to talk to the samba dns directly
rather than
>>> via my intermediary -- is that actually required?  Its my
impression that
>>> my campus network doesn't do this with normal active directory
-- I believe
>>> they run BIND and queries for ad.foo.com <http://ad.foo.com>
are
>>> resolved via authoritative AD dns servers running on windows server
...
>>> Isn't that the normal way?
>>>
>>> The reason I want to run the samba4 dns on a different port than
the
>>> default is to avoid having to run an additional OS -- my
environments are
>>> very expensive to put equipment in, reducing the hardware and OS
count is
>>> desirable, particularly where there is not a good reason that
something
>>> needs to have its own OS instance ...
>>>
>>> It seems you reference a straw-man desire to customize the ldap
server
>>> port in order to evoke some history of problems surrounding people
trying
>>> to use services that don't work with the AD model within samba.
In fact my
>>> GOAL is exactly the opposite -- I WANT to USE the samba integrated
dns in
>>> order to avoid having any issues with the required set of magic AD
dns
>>> behaviours -- rather than trying to hack those required dns
behaviours into
>>> my existing dns configuration ...
>>>
>>> I appreciate your thoughts and if my suggested approach (with two
>>> servers) truly isn't going to work, it would be huge if you or
someone else
>>> could tell me and give a lot insight why ... because my plan even
with a
>>> *NO* on the ability to change the port that samba-dns listens on,
is to use
>>> two servers as described above ...  If that's not gonna work
for some
>>> reason it'd be awesome to find out now ...
>>>
>>> Thanks,
>>>
>>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
>>> rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>> wrote:
>>>
>>>     On 26/02/15 22:58, Ben Cohen wrote:
>>>
>>>         My goal is for the samba dns server to be authoritative for
>>>         'ad.mydomain.com <http://ad.mydomain.com>
>>>         <http://ad.mydomain.com>' but not for
mydomain.com
>>>         <http://mydomain.com> <http://mydomain.com>.
The dns server
>>>         that the clients in my domain use is statically configured
to
>>>         resolve all requests for ad.mydomain.com
>>>         <http://ad.mydomain.com>
<http://ad.mydomain.com> via the
>>>         samba internal dns -- I believe this is exactly what is
>>>         required for samba to function ...  Is this incorrect
somehow?
>>>
>>>
>>>     You should point your domain members to the DC, if the record
the
>>>     client requires is inside the AD domain, the DC will return
>>>     answer, if it doesn't know, it will forward the request to
>>>     whatever you have set as the forwarder.
>>>
>>>
>>>         A whole bunch of other samba services can listen on other
than
>>>         the default service port through configuration options ...
>>>  Why should the dns service uniquely deserve an all-caps *NO*
>>>         with regard to this configurability?
>>>
>>>
>>>     You could always try and alter the ldap port that samba4
listens
>>>     on, oh sorry, you cannot change that either can you.
>>>
>>>     Please stop trying to bend AD to your way of working.
>>>
>>>
>>>     Rowland
>>>     --     To unsubscribe from this list go to the following URL
and read
>>> the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> Please stop sending emails directly to me, keep it on list.
>>
>> If you are struggling with resources, you could run another OS inside a
VM
>> and point the samba forwarder to a DNS server running on the OS in the
VM.
>>
>> Would you try and circumvent the way a windows server works, I do not
>> think so and as samba4 AD works exactly the same as windows AD, you
>> shouldn't try to change the way it works.
>>
>> Note that this is the last I will have to say on this subject.
>>
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Your clients don't have to query your Samba DC's for DNS directly.
Though, it does make troubleshooting/resolving issues much simpler.

One thought would be, replace dnsmasq with BIND, and use BIND to do
Samba's DNS along with your other DNS needs.
-- 
John Yocum, Systems Administrator, DEOHS

On 27/02/15 00:10, Ben Cohen wrote:
> Whoops - sorry for responding to you directly rather than via the list -- I
> only use gmail for extremely high-volume mailing lists, and usually
that's
> just to skim-read them -- so I don't know the gmail web-ui very well
(and
> it seems to change all the time) -- apologies.  (Also i have no idea how to
> not top-post with gmail ...  I'll figure that out for next time)
>
> You seem to have strong opinions regarding the default port for the dns
> server - I disagree with you but I'm not going to try to change your
deeply
> held beliefs.
>
> While expressing your opinions earlier in the thread, the idea was raised
> that it is somehow _REQUIRED_ for clients to use the samba internal dns
> directly rather than receive dns responses via an intermediary dns server
> -- can someone confirm whether or not this is the case?
>
>
Try reading this samba wiki page: 
https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F

Especially the bit at the top.

Rowland

Ok great -- thanks for the response.  Based on your answer, I'm under the
impression my approach should work fine then.

As for switching to BIND -- my networks are small, BIND is a whole lot more
dns-server than I need ...  dnsmasq has advantages to BIND -- its much
easier to administer, much more flexible, we use it for dhcp, and perhaps
most importantly -- we are already using it ...

With this setup samba-dns should own all dns behaviours that depend on AD,
and the rest of my environment's behaviours will work exactly as before (so
as long as there's not something basic that I'm not understanding).  I
don't see why this should be considered a hard to troubleshoot arrangement,
all the tricky dns stuff should be handled within the samba dns server ...
I know from experience that troubleshooting BIND with external dynamic dns
mutators is not particularly fun ...  This approach requires much less
heavy inter-service dependencies in my opinion -- samba wholly owns the ad
dns, dnsmasq points to ad dns for the ad domain as it would any other dns
server -- no BIND-DDNS synchronization is needed ...

Thanks again for the thoughts -- and I hope I'm not coming across as
someone who's repeatedly disregarding advice.  I'm in a position where I
do
want to use the internal samba dns, but I can't point my clients at the
internal dns as their primary dns server.  It seems to me like there might
be a lot of other environments where this same approach would make samba4
integration substantially more straightforward than the two approaches
described in the samba4 documentation ...

On Thu, Feb 26, 2015 at 4:16 PM, John Yocum <jtyocum at uw.edu> wrote:
> On 02/26/2015 04:10 PM, Ben Cohen wrote:
> > Whoops - sorry for responding to you directly rather than via the list
> -- I
> > only use gmail for extremely high-volume mailing lists, and usually
> that's
> > just to skim-read them -- so I don't know the gmail web-ui very
well (and
> > it seems to change all the time) -- apologies.  (Also i have no idea
how
> to
> > not top-post with gmail ...  I'll figure that out for next time)
> >
> > You seem to have strong opinions regarding the default port for the
dns
> > server - I disagree with you but I'm not going to try to change
your
> deeply
> > held beliefs.
> >
> > While expressing your opinions earlier in the thread, the idea was
raised
> > that it is somehow _REQUIRED_ for clients to use the samba internal
dns
> > directly rather than receive dns responses via an intermediary dns
server
> > -- can someone confirm whether or not this is the case?
> >
> > On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <
> rowlandpenny at googlemail.com>
> > wrote:
> >
> >> On 26/02/15 23:39, Ben Cohen wrote:
> >>
> >>> Please stop making the assumption that I don't have
different problems
> >>> than you...
> >>>
> >>> I support IT environments that are connected via incredibly
slow
> internet
> >>> links -- user clients CANNOT use something other than my dns
server as
> >>> their dns resolver -- I have to implement logic which controls
all
> internet
> >>> access, including dns resolution, on a per user basis per-byte
basis
> -- if
> >>> I put another dns server in-between me and the network
clients, I lose
> the
> >>> information by which my dns forwarding-resolver can make the
identify
> >>> determination.  Perhaps you have some way of passing forward
the
> identity
> >>> information regarding which client is making the dns request
in a way
> that
> >>> my network-access-control appliance understands -- oh, right
no you
> don't
> >>> do you?
> >>>
> >>> In my testing my approach seems to work the way I want to do
things --
> >>> two servers, one with dnsmasq, one with samba internal dns. 
Clients
> point
> >>> at my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is
this not
> >>> appropriate for some reason?  How does this go against the
'ad' way?
> As far
> >>> as I can tell there is absolutely nothing wrong with this
architecture
> ...
> >>> why should the clients need to talk to the samba dns directly
rather
> than
> >>> via my intermediary -- is that actually required?  Its my
impression
> that
> >>> my campus network doesn't do this with normal active
directory -- I
> believe
> >>> they run BIND and queries for ad.foo.com
<http://ad.foo.com> are
> >>> resolved via authoritative AD dns servers running on windows
server ...
> >>> Isn't that the normal way?
> >>>
> >>> The reason I want to run the samba4 dns on a different port
than the
> >>> default is to avoid having to run an additional OS -- my
environments
> are
> >>> very expensive to put equipment in, reducing the hardware and
OS count
> is
> >>> desirable, particularly where there is not a good reason that
something
> >>> needs to have its own OS instance ...
> >>>
> >>> It seems you reference a straw-man desire to customize the
ldap server
> >>> port in order to evoke some history of problems surrounding
people
> trying
> >>> to use services that don't work with the AD model within
samba.  In
> fact my
> >>> GOAL is exactly the opposite -- I WANT to USE the samba
integrated dns
> in
> >>> order to avoid having any issues with the required set of
magic AD dns
> >>> behaviours -- rather than trying to hack those required dns
behaviours
> into
> >>> my existing dns configuration ...
> >>>
> >>> I appreciate your thoughts and if my suggested approach (with
two
> >>> servers) truly isn't going to work, it would be huge if
you or someone
> else
> >>> could tell me and give a lot insight why ... because my plan
even with
> a
> >>> *NO* on the ability to change the port that samba-dns listens
on, is
> to use
> >>> two servers as described above ...  If that's not gonna
work for some
> >>> reason it'd be awesome to find out now ...
> >>>
> >>> Thanks,
> >>>
> >>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
> >>> rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
> wrote:
> >>>
> >>>     On 26/02/15 22:58, Ben Cohen wrote:
> >>>
> >>>         My goal is for the samba dns server to be
authoritative for
> >>>         'ad.mydomain.com <http://ad.mydomain.com>
> >>>         <http://ad.mydomain.com>' but not for
mydomain.com
> >>>         <http://mydomain.com>
<http://mydomain.com>. The dns server
> >>>         that the clients in my domain use is statically
configured to
> >>>         resolve all requests for ad.mydomain.com
> >>>         <http://ad.mydomain.com>
<http://ad.mydomain.com> via the
> >>>         samba internal dns -- I believe this is exactly what
is
> >>>         required for samba to function ...  Is this incorrect
somehow?
> >>>
> >>>
> >>>     You should point your domain members to the DC, if the
record the
> >>>     client requires is inside the AD domain, the DC will
return
> >>>     answer, if it doesn't know, it will forward the
request to
> >>>     whatever you have set as the forwarder.
> >>>
> >>>
> >>>         A whole bunch of other samba services can listen on
other than
> >>>         the default service port through configuration options
...
> >>>  Why should the dns service uniquely deserve an all-caps *NO*
> >>>         with regard to this configurability?
> >>>
> >>>
> >>>     You could always try and alter the ldap port that samba4
listens
> >>>     on, oh sorry, you cannot change that either can you.
> >>>
> >>>     Please stop trying to bend AD to your way of working.
> >>>
> >>>
> >>>     Rowland
> >>>     --     To unsubscribe from this list go to the following
URL and
> read
> >>> the
> >>>     instructions:
https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>>
> >> Please stop sending emails directly to me, keep it on list.
> >>
> >> If you are struggling with resources, you could run another OS
inside a
> VM
> >> and point the samba forwarder to a DNS server running on the OS in
the
> VM.
> >>
> >> Would you try and circumvent the way a windows server works, I do
not
> >> think so and as samba4 AD works exactly the same as windows AD,
you
> >> shouldn't try to change the way it works.
> >>
> >> Note that this is the last I will have to say on this subject.
> >>
> >>
> >> Rowland
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> Your clients don't have to query your Samba DC's for DNS directly.
> Though, it does make troubleshooting/resolving issues much simpler.
>
> One thought would be, replace dnsmasq with BIND, and use BIND to do
> Samba's DNS along with your other DNS needs.
> --
> John Yocum, Systems Administrator, DEOHS
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I read that page -- but I'm not seeing anything that makes me think my dns
strategy is inappropriate ...

The article does describe the possible deployment strategies in what I
believe to be an overly constrained manner:
>From the wiki:
---

You can use either the internal DNS server that is built into the samba4
binary, or an external bind DNS server. Default is to use the internal
server, and it is highly recommended that when you start using Samba4 as
AD-DC for the first time, you install it this way. You can later switch
between the two variants if needed. If you do use an external bind DNS
server, it must use the DLZ backend and run on the Samba AD DC.

---

In my opinion this should be augmented to explain that its simple to use
the internal samba dns in combination with an external dns server.


Something like:

---

You can use the samba internal dns in combination with any other dns server
so long as that external dns server resolves queries for your active
directory domain via the samba dns server.


For example, suppose you've configured a samba domain to use the internal
dns as like this:

# *samba-tool domain provision --use-rfc2307 --interactive*
Realm [SAMDOM.EXAMPLE.COM]: *SAMDOM.EXAMPLE.COM
<http://SAMDOM.EXAMPLE.COM>*
 Domain [SAMDOM]: *SAMDOM*


The above configures samba with and sets the internal samba-dns as the
authoritative dns server for samdom.example.com.  To ensure clients find
the necessary active directory information for samdom.example.com, ensure
the dns server on your network resolves all queries for samdom.example.com
via the samba internal dns server.


For example to configure a dnsmasq server to resolve queries for
samdom.example.com via the samba internal dns server -- include in your
dnsmasq configuration:

server=/samdom.example.com/192.168.1.2

where 192.168.1.2 in the above is the ip address of the server running
samba4.

---


This third strategy uses the samba internal dns for all dns behavior that
samba/ad depends on, while still allowing use of another dns server than.
The source of truth for samdom.example.com is the samba-dns which is
tightly (and correctly) integrated with the semantics of the active
directory domain.  This setup does not require use of BIND and does not
require clients on the network use the samba dns for name resolution.

On Thu, Feb 26, 2015 at 4:24 PM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
> On 27/02/15 00:10, Ben Cohen wrote:
>
>> Whoops - sorry for responding to you directly rather than via the list
--
>> I
>> only use gmail for extremely high-volume mailing lists, and usually
that's
>> just to skim-read them -- so I don't know the gmail web-ui very
well (and
>> it seems to change all the time) -- apologies.  (Also i have no idea
how
>> to
>> not top-post with gmail ...  I'll figure that out for next time)
>>
>> You seem to have strong opinions regarding the default port for the dns
>> server - I disagree with you but I'm not going to try to change
your
>> deeply
>> held beliefs.
>>
>> While expressing your opinions earlier in the thread, the idea was
raised
>> that it is somehow _REQUIRED_ for clients to use the samba internal dns
>> directly rather than receive dns responses via an intermediary dns
server
>> -- can someone confirm whether or not this is the case?
>>
>>
>>
> Try reading this samba wiki page: https://wiki.samba.org/index.
> php/DNS#Which_DNS_backend_should_I_choose.3F
>
> Especially the bit at the top.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 2015-02-26 at 16:10 -0800, Ben Cohen wrote:
> 
> While expressing your opinions earlier in the thread, the idea was
> raised
> that it is somehow _REQUIRED_ for clients to use the samba internal
> dns
> directly rather than receive dns responses via an intermediary dns
> server
> -- can someone confirm whether or not this is the case?
It is, as GSS-TSIG secured dynamic updates must go directly to the
target server on port 53, they are not proxied.

If you need to run multiple services, and pointing clients at another
DNS server to proxy to samba is a supported configuration, just don't
try and change the port, change the IP (multiple IP addresses on a
single physical adaptor), and ensure that like LDAP, clients can still
reach it directly.

I really should get around to proposing removal of the various 'xxx
port' options for AD services.  These just add complexity and encourage
folks down the wrong line of thought, rather than to virtual interfaces.
The selection of which services are in or not in that list is
essentially random - portmapper on 135, ldap and ldaps also are not
listed, but cldap is!

As to BIND being overkill, the time I've spent working in AD has shown
me that everything looks like overkill until you have to implement
everything that is needed.  The choice of DNS servers seems to be
something folks get very passionate about, I actually wish we had just
mandated BIND9 and put the effort into automating the configuration.
The current situation where users hope for the simplicity of 'internal
DNS' with just one more option 

I hope this helps,

Andrew Bartlett 



-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba