To assist Windows 2000 administrators, ISC provides
describing how to configure Windows 2000 for use on PennNet by
disabling dynamic DNS updates and using statically-configured DNS
records instead. This configuration prevents Windows 2000 from
generating unnecessary DNS traffic by sending repeated DNS update
requests that cannot be accepted by Penn's DNS servers.
In its default configuration, Microsoft Windows 2000 attempts to dynamically update records in the Domain Name System (DNS). While dynamic update functionality is supported by Penn's DNS servers (and is actively used by Penn's own DNS management software), Microsoft's implementation relies on a proprietary authentication mechanism that does not interoperate with other vendors' DNS servers (most notably the Internet Software Consortium's BIND software, which is used to provide DNS service for Penn and for most of the Internet). It will not be possible for Windows 2000 to update Penn's DNS servers until Microsoft either develops an interoperable DNS implementation or else provides sufficient documentation for others to implement Microsoft's proprietary authentication scheme.
Even if in the future it becomes technically possible for Windows 2000 to send authenticated updates to Penn's DNS servers, Penn would not have a scalable method for authorizing and constraining the scope of update requests from all Windows 2000 systems. Without such authorization, update requests from these systems could be used to alter or replace existing records in the DNS and thereby hijack hostnames that have been assigned for other purposes. This would adversely affect all of the services that rely on the integrity of Penn's DNS records.
An alternative approach would be to delegate authority for subdomains under the upenn.edu namespace to Microsoft DNS servers operated by departments that are deploying Windows 2000, allowing those departments to locally manage authentication and authorization for DNS updates within their subdomains. But this approach would potentially violate the Policy on the Use of Pennnet IP Address Space approved by Penn's Network Policy Committee, which requires all PennNet hosts to be registered in the DNS using ISC's central DNS management software in order to track information required for billing, security, and troubleshooting. Additionally, this solution would require delegation of the reverse lookup domains (under the in-addr.arpa namespace) for each such department; this would be straightforward for Penn's IP subnets that are used exclusively by a single department, but for IP subnets that are shared by multiple departments it would be more complicated and might require allocating additional subnets and/or renumbering many hosts.
Because subdomains are not delegated, Windows 2000 Domain Controllers cannot act as DNS servers for any part of the upenn.edu namespace. This does not prevent the use of Active Directory; ISC's instructions for configuring Windows 2000 Server describe how to create the necessary DNS records for Active Directory using Penn's existing DNS management software.
Information Systems and Computing
University of Pennsylvania
Comments & Questions