How secure is rndc?
Edward Lewis
Ed.Lewis at neustar.biz
Fri Dec 22 12:55:44 UTC 2006
Having heard from Mark "Final Authority" Andrews (wink) on the matter ...
At 13:42 -0600 12/21/06, Len Conrad wrote:
>What's to encrypt when the packet content is a generic signal?
The signal isn't always "generic." For instance, you can't tell what
zones are on a server (as opposed to what servers serve a zone). If
you are running servers and don't want to reveal the zones there, you
don't want a "reload" command to expose it.
I'm not saying that is it normal or vital to want or do this. But
there are a wide range of needs and desires driving the use of DNS.
I'm not saying that RNDC be made to encrypt the traffic either, if
you wanted that you can use other tools like SSH, IPSEC, VPNs, etc.
Which circles back to the original question, what does RNDC/TSIG +
SSH offer that is not in plain RNDC/TSIG. The answer is pretty much
the encrypted nature of the packets.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Dessert - aka Service Pack 1 for lunch.
More information about the bind-users
mailing list