nsupdate, dnskeygen, trusted-keys, OH my!
Kevin Darcy
kcd at daimlerchrysler.com
Fri Oct 13 00:38:51 UTC 2000
http://www.nominum.com/resources/faqs/bind-faq.html#tsig
- Kevin
root wrote:
> That's what I am trying to do.
> Have a secure mechanism for which a few hosts to do updates with.
>
> The problem that I"m having is that I don't know (and can't find)
> is how to specify the approved key in my conf file and then how to generate
> the correct key
> TSIG vs DNSSEC for use on the host side.
>
> Stick
>
> On Wed, 11 Oct 2000 18:30:47 Kevin Darcy wrote:
> >
> > AFAIK, trusted-keys is only used for DNSSEC, which essentially requires
> > you to build a security infrastructure. If all you want to do is
> > strongly-crypto-authenticate your Dynamic Updates amongst a fairly-small
> > number of servers and/or clients, I'd look at TSIG instead. Generate a
> > shared-secret TSIG key for each server or, depending on your paranoia
> > level, each server/client combination, configure it/them into the server
> > and use the "-k" option of nsupdate to sign the updates with that key.
> > This is obviously non-scalable to larger numbers of clients and/or
> > servers
> > because of the key distribution and/or management problems...
> >
> >
> > - Kevin
> >
> > Chris MacLeod wrote:
> >
> > > I've been wrestleing with nsupdate for a couple of days now and have
> > > finally gotten it working with ip based security rules.
> > >
> > > I'm trying to do key based authentication now so I can't be spoofed.
> > >
> > > Could someone point me to a good reference (or post here) what a
> > > named.conf using trusted-keys with nsupdate should look like. And also
> > > how keys should be generated with dnskeygen.
> > >
> > > Thanks.
> > >
> > > Stick
> >
> >
> >
> >
> >
> >
More information about the bind-users
mailing list