nsupdate, dnskeygen, trusted-keys, OH my!
Kevin Darcy
kcd at daimlerchrysler.com
Wed Oct 11 22:30:47 UTC 2000
AFAIK, trusted-keys is only used for DNSSEC, which essentially requires
you to build a security infrastructure. If all you want to do is
strongly-crypto-authenticate your Dynamic Updates amongst a fairly-small
number of servers and/or clients, I'd look at TSIG instead. Generate a
shared-secret TSIG key for each server or, depending on your paranoia
level, each server/client combination, configure it/them into the server
and use the "-k" option of nsupdate to sign the updates with that key.
This is obviously non-scalable to larger numbers of clients and/or servers
because of the key distribution and/or management problems...
- Kevin
Chris MacLeod wrote:
> I've been wrestleing with nsupdate for a couple of days now and have
> finally gotten it working with ip based security rules.
>
> I'm trying to do key based authentication now so I can't be spoofed.
>
> Could someone point me to a good reference (or post here) what a
> named.conf using trusted-keys with nsupdate should look like. And also
> how keys should be generated with dnskeygen.
>
> Thanks.
>
> Stick
More information about the bind-users
mailing list