TSIG/IP Transactions
Kevin Darcy
kcd at daimlerchrysler.com
Fri May 31 15:45:16 UTC 2002
rwatson at OFDA.NET wrote:
> Hello,
>
> We host our own primary DNS, one slave and we also have our ISP's each set
> up as slaves as well.
>
> For redundancy and diversity we use 1 slave from each ISP, plus our slave.
> I would like to use TSIG, however, only 1 of the ISP's supports TSIG
> transaction, leaving 2 slave servers that don't.
>
> My question is, if I use the non-TSIG slaves and also begin using TSIG
> enabled master/slave servers, will I be potentially compromising, leaking
> keys or otherwise weakening the security of the zone? (In any way shape or
> form?)(Because I am cohabitating TSIG with non TSIG zone transfers???)
No, you won't be leaking keys. But if you consider it "leakage" to allow
anyone to zone transfer your zones, then I guess you have "leakage". You
could, of course, always restrict zone transfers with a combination of
TSIG keys and/or source IP addresses, which would make it marginally more
secure than simply opening it up to the world...
- Kevin
More information about the bind-users
mailing list