nsupdate, dnskeygen, trusted-keys, OH my!

[Kevin Darcy]

AFAIK, trusted-keys is only used for DNSSEC, which essentially requires
you to build a security infrastructure. If all you want to do is
strongly-crypto-authenticate your Dynamic Updates amongst a fairly-small
number of servers and/or clients, I'd look at TSIG instead. Generate a
shared-secret TSIG key for each server or, depending on your paranoia
level, each server/client combination, configure it/them into the server
and use the "-k" option of nsupdate to sign the updates with that key.
This is obviously non-scalable to larger numbers of clients and/or servers
because of the key distribution and/or management problems...


- Kevin

Chris MacLeod wrote:

> I've been wrestleing with nsupdate for a couple of days now and have
> finally gotten it working with ip based security rules.
>
> I'm trying to do key based authentication now so I can't be spoofed.
>
> Could someone point me to a good reference (or post here) what a
> named.conf using trusted-keys with nsupdate should look like.  And also
> how keys should be generated with dnskeygen.
>
> Thanks.
>
> Stick