Curtis wrote:
>1) The Win2K DNS implementation and BIND can talk, but you can't use Active
>Directory integrated DNS zones (the easiest), and it takes some
configuring.
> - That is worth learning, just for fun. :-D
>2) Keeping your AD info on your router would be a scary security practice,
>unless you've got Win2K, AD, BIND, router, host, and network security all
>sewn up. :-D
> - This may not be a concern for you, but no compromise is a good
>compromise. :-D
>
>If you do dive into this, Shawn, please let me know, I'd love to track
along
>with you.
yep, now that things are working more or less the way they should, I'll
abandon the idea of using BIND for the MS Active Directory. Probably more
headache than I really want/need - I need to get my site operational now
(get rid of the ugly rocket).
>That file (from my reading, needs testing) gets fired every time the IP
>changes, and not even at startup if the IP has not changed.
>
>Here are the contents by default (Slackware 8.1):
>
>#!/bin/sh
>echo "(dhcpcd) IP address changed to $1" | logger
>
>So ideally, all you'd have to do is add the appropriate nsupdate commands
>after that and feed it the $1 variable:
>
>#!/bin/sh
>echo "(dhcpcd) IP address changed to $1" | logger
>server srns1.superreal.net
>prereq yxdomain open2space.com
>update delete open2space.com
>update add open2space.com 900 in a $1
>update add open2space.com 900 in mx 10 $1
>server srns1.superreal.net
>prereq nxdomain www.open2space.com
>update add www.open2space.com 900 cname open2space.com
this won't work quite like this, though you're on the right track. We would
need the nsupdate commands written out to a file, then pass that file to
nsupdate. I don't know the scripting language well enough yet to do this
(I'll have to dig out a book from the library at work). So in pseudo-code,
the routine would go something like so:
if the ip address has changed
remove the old nsupdate command script
create a new nsupdate command script using the new IP
run nsupdate ("nsupdate myScriptFile")
end if
The catch I encountered was that the line "update delete open2space.com" is
supposed to clear all resource record entries for the domain, but doesn't.
So, I had to do something like "update delete open2space.com in a x.x.x.x"
where the x.x.x.x is the old IP. The addition of the new IP can be before
or after this command, but the old IP has to be explitly removed. (should
mention though that this could just be the way my DNS host is setup...)
Can anyone speak to the security of this? Can just anyone do an nsupdate on
my domain? I know nsupdate supports signature files, which can make it
secure, but without the sig files is there any provision for security?
Shawn
