tsig

[Kevin Darcy]

Gamer wrote:

>>AFAIK, neither of those actually encrypt the *data* in the DNS packets.
>>They just provide crypto-authentication. The purpose of DNS is to
>>publish information, after all, so most of the security efforts are
>>aimed at making the information *trustworthy* rather than indecipherable.
>>    
>>
>
>Ok, I agree, but the fact that someone could read all those records,
>doesnt he get a
>pretty good picture of the network infrastructure?
>
That's one perspective on network security. I tend to put it in the 
category of "security through obscurity", which I'm not real big on 
(heck, I don't even restrict zone transfers).

One thing I forgot to mention in my previous message is that if you're 
that concerned about privacy, you could always run your stuff over IPSEC 
or something like that.

>My concern is, if I would be admin of a very huge private network and
>extern communication is only
>possible via proxy servers.
>
I think I know a little bit about that.

>Which reasons could there be to implement
>DNSSEC?
>
If it's a "very huge" private network, don't you have some entities on 
it that you trust less than others? When that level of distrust gets 
beyond a certain threshold, that's when security measures are called for.

Actually, you should take all of this with a grain of salt coming from 
me, since I'm not a Security expert.

                                                                         
                                             - Kevin