Auto-sync: 2026-04-28 16:03
This commit is contained in:
36
wiki/concepts/Secure-Dynamic-Updates.md
Normal file
36
wiki/concepts/Secure-Dynamic-Updates.md
Normal file
@@ -0,0 +1,36 @@
|
||||
---
|
||||
title: "Secure Dynamic Updates"
|
||||
type: concept
|
||||
tags:
|
||||
- DNS
|
||||
- AWS
|
||||
- Active-Directory
|
||||
- Security
|
||||
sources:
|
||||
- ctp-topic-17-active-directory-services-in-gruntwork-aws-lzs
|
||||
last_updated: 2026-05-05
|
||||
---
|
||||
|
||||
## Definition
|
||||
Secure Dynamic Updates(安全动态更新)是 DNS 协议的一种扩展,允许客户端计算机在通过 Kerberos 身份验证后,自动向 Windows DNS 服务器注册和更新其 A 记录和 PTR 记录。
|
||||
|
||||
## Mechanism
|
||||
- **用途**:Linux 实例在加入 AD 域后,通过 Secure Dynamic Updates 机制自动向 Windows DNS 服务器注册其 DNS A 记录,无需手动配置
|
||||
- **前提条件**:客户端必须使用有效的 Kerberos 票据(由 AD 域控制器颁发),确保只有经过认证的域成员才能更新 DNS 记录
|
||||
- **安全性**:与无安全的动态更新(允许任何人注册任意 DNS 记录)相比,Secure Dynamic Updates 防止了 DNS 污染和欺骗攻击
|
||||
|
||||
## Key Claims
|
||||
- Linux 实例通过 Secure Dynamic Updates 实现无人值守的 DNS 记录注册
|
||||
- 该机制是零接触自动化域管理的关键组成部分
|
||||
|
||||
## Related Entities
|
||||
- [[intsas.local]]:提供 DNS 服务的生产/SAS AD 域名
|
||||
- [[swinford.net]]:提供 DNS 服务的 R&D Labs AD 域名
|
||||
- [[Domain Join]]:Secure Dynamic Updates 依赖于成功的域加入
|
||||
|
||||
## Related Concepts
|
||||
- [[DNS托管]]
|
||||
|
||||
## References
|
||||
- [[ctp-topic-17-active-directory-services-in-gruntwork-aws-lzs]]
|
||||
- [[ctp-topic-19-configuring-dns-within-aws-lzs]]
|
||||
Reference in New Issue
Block a user