Table of Contents
Advertisement
Domain Controllers would be in the ACL for the underscore domains, and this would
allow them to handle the SRV records and CNAME records automatically. We recom-
mend, however, that the A and PTR records, which would be in a non-underscore parent
domain, be entered as static IP objects in the VitalQIP GUI. Likewise, any other servers
with static IP addresses should be entered as such in the GUI.
See the message flow diagram in Figure 3.
Maintaining security for DNS zones
In BIND 8.x (either 3rd party ISC BIND or Alcatel-Lucent DNS 3.1, but not MS-DNS),
authorization for updates or transfers or queries for each zone is given according to the
Access Control Lists. Each zone has three policies (allow-update, allow-query, allow-
transfer) which can be set to None, Any, a list of IP addresses or subnet addresses,
localhost, or localnets.
BIND 9.x (including Alcatel-Lucent DNS 4.0) has some additional security: control mes-
sages are sent via an MD5 signature and shared secrets.
In this all-Alcatel-Lucent solution, allow-update should be set to "Use List" for most do-
mains and reverse zones. All zones should allow updates from the Enterprise server and
VitalQIP client GUIs. If you have a long list of VitalQIP client GUIs, you can configure Vi-
talQIP so that GUIs send updates via the DNS Update Service on the Enterprise server
10
Alcatel-Lucent | Integration of VitalQIP® with Microsoft Windows 2003 Networking/Active Directory
Advertisement
Table of Contents
