Hi John. Sorry if this sounds picky, but a dot out of place in this game is the difference between success and crash-n-burn.
Please can you show me EXACTLY what ...10.in-addra.arpa zones you have in both sets of DNS? >From previous work with AD clients I think that, if it doesn't already exist, MS DNS will auto-create the reverse zone with the class (remember classes?) that matches the client's IP. e.g. if a client comes along saying "I'm 10.1.2.3" then MS DNS will create the /8 or class A reverse zone "10.in-addr.arpa". Not "3.2.1.10..." or "2.1.10..." or "1.10..." but the whole of 10! This is because (close your ears MS) it assumes it is the only DNS in town. Why would there be another one? If there is one client with a 10.x.y.z address then there are potentially several billion more, so we'll create 10... just to be on the safe side. This makes MS DNS THE source of truth for all 10, so no-one else can have any of it unless you start creating delegations. More on that in a bit. So first things first, Is this what happens in your environment? Or something else? Real examples please + screenshots from MS DNS of the list of zones. Screenshots? In a mailing list?? Try it anyway. You can redact hostnames if you like, though they won't mean anything out of context. Secondly, why do you have ...10 in BIND at all? What's its purpose? Next, I would keep it simple. Don't try and replicate data in different places if you don't need to. You COULD use zone transfer, of course, which brings me to my next point... Decide on a policy and stick to it. What data do you want MS DNS to be authoritative for, what data do you want BIND to be authoritative for and where do users send their queries? For example, if AD clients are all assigned addresses from the range 10.1 then MS DNS only needs a zone 1.10..., not 10... The automatic zone creation behaviour can be overridden if you create the zones you need at the start. In a previous life, I wanted ALL clients to query BIND and for MS to be just a database. BIND would be authoritative for 10, MS would be authoritative for (say) 1.10 and 2.10 but NOT 10. BIND would be authoritative for 10 and delegate 1.10 and 2.10 to MS. ALL clients would query BIND, including when performing their dynamic updates to MS. This works because BIND knows who is responsible for all addresses starting 10.1 or 10.2 Long-winded, I know. But I think it's important to understand your end goal before configuration. Cheers, Greg On Sat, 16 Sept 2023 at 01:16, John Thurston <john.thurs...@alaska.gov> wrote: > A host which auto-registers in MS DNS, creates an A in foo.alaska.gov and > PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those. > > But the DNS system running on BIND also has a whatever.10.in-addr.arpa > zone. > > So if I want to find the PTR for 13.12.11.10.in-addr.arpa, I must query > both DNS systems in turn. If I get NXDOMAIN from both, then I can say the > PTR doesn't exist. > > On each system, I'd like to be able to take the 10.in-addr.arpa data from > the other, compute the differences, and incorporate them locally. Then I'll > be able to query either system, and accept an NXDOMAIN with confidence. > > And since writing my earlier note, I have re-located the code I think I > stumbled across earlier > > Tony Finch's "nsdiff" > > > https://dotat.at/prog/nsdiff/ > > > -- > Do things because you should, not just because you can. > > John Thurston 907-465-8591john.thurs...@alaska.gov > Department of Administration > State of Alaska > > On 9/15/2023 2:21 PM, Greg Choules wrote: > > Hi John. > Can you tell me a bit more please? > - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? > - Where are hosts auto registering to? I'd guess MS, but it would be good > to confirm. > - What does fragmentation look like? A few real examples would be useful. > I'm trying to understand just what is the problem. > - How much of 10 do you use? > - What do you mean by "...can be published from two different DNS > services."? Could you expand on that please? > - Is there any zone transfer between BIND and MS DNS? > > Thanks, Greg > > On Fri, 15 Sept 2023 at 21:00, John Thurston <john.thurs...@alaska.gov> > wrote: > >> This question involves making our BIND system work with Microsoft's DNS >> software. If this makes it off-topic, let me know and I'll be quiet about >> it. >> >> We use ISC BIND to hold and host most of our zone data. Internally, we >> have delegated some zones, and they are held in Microsoft DNS. These zones >> are used for MS Active Directory 'Domains', and accept auto-registration of >> DNS records from authorized hosts. Because we are using 10-dot addresses >> internally, the auto-registration by hosts causes fragmentation of the >> 10.in-addr.arpa zone data. >> >> I recall someone once offered a bit of code to mash this zone data back >> together, so the same information can be published from two different DNS >> services. I've hunted through this list's archive and have not found the >> reference. Before I go roll my own, can anyone point me at an existing >> solution? >> >> -- >> -- >> Do things because you should, not just because you can. >> >> John Thurston 907-465-8591john.thurs...@alaska.gov >> Department of Administration >> State of Alaska >> >> >> -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
