IIS 6: The Complete Reference

WS03 DNS services allow dynamic updates, which allow clients to enter their own A (Address) and PTR (Pointer Resource) records into DNS. Traditional DNS is static, so when IP addresses change, the corresponding DNS records become out of sync. This hasn't been too much of a problem, because servers were the only machines to have DNS records, and server IP addresses were pretty much static. Besides, most name resolution was done with WINS. But now that Windows is much more DNS-reliant, it's more important than ever that all machines are in DNS. Because many clients are on DHCP and can get different IP addresses, without a means to update DNS when client IP addresses changed, things would get ugly. This is where dynamic DNS comes into play. When clients get a new IP address, they register their records, and there's no administrator overhead associated with keeping those records up to date.

When you create a DNS zone, you can choose whether or not to use secure dynamic update (you can also change it later). Let's take a look at the differences between the two types of updates: regular and secure.

Regular Dynamic Update

With dynamic updates, the clients or the DHCP server are responsible for updating the DNS A and PTR records. Because anyone can register a name, you can't stop someone from registering a rogue IP address to a name that's important. Such a predicament is inherently insecure; thus, secure dynamic update was born.

Secure Dynamic Update

Secure dynamic update is available only for Active Directory-integrated zones. It allows you to authenticate the client registering the names. Secure zones have standard Windows ACLs, so only clients that meet the security permissions can update records. This is handy, because you can lock down the zones so that only servers and your DHCP server can update their records. This prevents anyone from registering any name.

Категории