How secure is rndc?
Edward Lewis
Ed.Lewis at neustar.biz
Thu Dec 21 15:52:31 UTC 2006
At 9:39 -0600 12/21/06, Len Conrad wrote:
>>So people can see whether I just have reloaded or stopped my server. I
>>do not have a big problem with that.
>
>and they can reload or stop your DNS server, too (if they have the key)
If they have the key that is. As long as they can't forge the
signature (technically it's an encrypted hash or something like
that), they can't get a command accepted.
TSIG has replay prevention (within 5 minutes). So copying the
message in whole and playing it later isn't very effective.
(Somewhat.)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Dessert - aka Service Pack 1 for lunch.
More information about the bind-users
mailing list