>I'd guess that setting up BIND configuration files will take your average >windows admin much longer than setting up equivalent functionality in >Win2k DNS.
To add a zone is copy/paste of one line in named.conf. To duplicate a zone file when two zones have moslty similar reocrds, copy the file from an existing file or from a template file. But, even better when zones have identical records, or even total identity, using $INCLUDE in the zone files and include "path/file"; in the server config file gives the same powers and leverage as include files in program sources. You can even use the same zone file for multiple domains. Then of course BIND logging is tons better, showing its Unix roots, and includes debug level tracing. Also, there is a serious problem in W2K recursion in that it seems not to distribute its queries across multiple nameservers for the same zone, so the query load balancing is not as "good citizen" as BIND is. MS has been make aware of the problem. Perhaps in NT6 or NT7... >I'll also add this recursion issue to my list of reasons why I (and many >others) consider a best practice for WIn2k split DNS with a internal >domain suffix (e.g. "mycompany.local") different from the organization's >publicly registered internet domain name. I agree. When teaching the Men & Mice DNS Security course, I always recommend separating DNS into delegated-only NS's (no caching, only zone data) which would allow disabling the dangerous W2K recursion) and caching-only NS's. When W2k is used as the latter, recursion is on but you can make it secure by blocking DNS access from Internet. Len ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
