TSIG/IP Transactions
rwatson at OFDA.NET
rwatson at OFDA.NET
Fri May 31 16:36:53 UTC 2002
So, what is the carot for using TSIG signed transactions if only to make the
zone marginally more secure?
-----Original Message-----
From: Kevin Darcy
To: comp-protocols-dns-bind at isc.org
Sent: 5/31/02 11:45 AM
Subject: Re: TSIG/IP Transactions
rwatson at OFDA.NET wrote:
> Hello,
>
> We host our own primary DNS, one slave and we also have our ISP's each
set
> up as slaves as well.
>
> For redundancy and diversity we use 1 slave from each ISP, plus our
slave.
> I would like to use TSIG, however, only 1 of the ISP's supports TSIG
> transaction, leaving 2 slave servers that don't.
>
> My question is, if I use the non-TSIG slaves and also begin using TSIG
> enabled master/slave servers, will I be potentially compromising,
leaking
> keys or otherwise weakening the security of the zone? (In any way
shape or
> form?)(Because I am cohabitating TSIG with non TSIG zone transfers???)
No, you won't be leaking keys. But if you consider it "leakage" to allow
anyone to zone transfer your zones, then I guess you have "leakage". You
could, of course, always restrict zone transfers with a combination of
TSIG keys and/or source IP addresses, which would make it marginally
more
secure than simply opening it up to the world...
- Kevin
More information about the bind-users
mailing list