Administrators of Mac OS X servers should avail themselves of the documentation and design principles of Unix and the intelligent thoughtful people who write the Unix software that allows the internet to work.

The global DNS in particular is a beautifully designed concept manifested on Unix like systems in ISC’s BIND. As a way of cutting corners and appearing to be nice to end users, system administrators often decide that the network ‘at the office’ should exist in the same DNS namespace as the network ‘on the internet’ usually in a misguided attempt to improve routing for mail or file server access in the interests of security and performance.

It is as if the work that Mark Cox and the work of the OpenSSL team didn’t exist or was too difficult to get going on the platform (In Mac OS X Server I think they have it down to a five button click procedure now + some waiting for a domain registrar to process your certificate request.) The security of exterior services shouldn’t be dependent on sleight of hand. They should be made secure and trustworthy at the source, both for external and internal nodes. Kerberos on Mac OS X Server bootstraps itself into full operation with almost no user intervention providing it has been planned and provisioned for, and nearly all available services on Mac OS X Server have been kerberized.

Apple themselves have even gotten around to explaining the correct way to configure DNS for the legions of Mac coolies who buy their hardware and rely on real genius to see them through the darkness. The amazing thing is that the correct way to configure DNS is so beautifully uncomplicated; that name to IP address mappings should be above all things unique.

Microsoft have never been so tongue tied on the subject;

http://support.microsoft.com/kb/254680/en-us

“It is critical that the design of the DNS namespace be created with Active Directory in mind and that the namespace that exists on the Internet not conflict with an organization’s internal namespace.”

Windows is of course a terror on the internet and heavy fortification is a must lest you want servers melting down in a viral stew.

Mac OS X works well despite any number of bad design choices in deployment planning (and despite the best efforts of its users sometimes.) A standard Open Directory Master configuration is as easy to configure for a top level domain as it is for a small private school. Being “rock solid” can very easily lead to sloppy implementation.

Speaking of which, the administrator putting Mac OS X Server in a small environment should consider Bonjour as the primary internal DNS resolver. With some planning and organized naming of computers at the point of unboxing Mac OS X can essentially take care of itself in resolving internal names to internal IP addresses. There is even hope for the careless as there is nothing technically wrong with having dozens of machines on the network named “First User’s Computer (x)” where x is the value + 1 of the number of computers that were on before you. Open Directory in Leopard makes disturbingly efficient use of Bonjour in connecting isolated clients machines to a central directory store. Bonjour makes use of the .local domain which cannot be registered on the internet at large; thus locality can be ensured. For larger networks Bonjour cannot be guaranteed to scale so it’s best to implement standard DNS with BIND.

Domain.local or domain.lan is a rubbish way of doing it, even in Windows. If you ever want any sort of integration in the future, then rip your domain apart. Using <internal>.mydomain.com is loads better and any non-Windows techs will thank you for using DNS properly.  -CPTRELENTLESS

A careful study of DNS and its proper configuration yields admiration for its designers, appreciation for its design, and can illuminate secret truths about any hierarchical system.