Do I need TSIG for zone transfer on an intranet env?
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jun 29 17:24:12 UTC 2006
In security-speak, it might translate better into "source-address-based
authentication" versus "shared-key-cryptographic authentication".
Obviously, from a theoretical standpoint, the crypto is better security,
but you might give them some pause if at the same time you suggest that
the Security Department be responsible for generating and maintaining
the shared keys. It's amazing how workload can often trump theoretical
advantage :-)
- Kevin
April wrote:
> that's true .. however how many people in Securiy really know DNS? ;-)
>
> What I should ask probably is in general, should ACL or TSIG be
> implemented in an intranet env?
>
> Kevin Darcy wrote:
>
>> April wrote:
>>
>>> is it too much? ACL should do the job?
>>>
>>>
>> Perhaps you should ask such questions of your Chief Security Officer, or
>> on a security-related list. Is source-address-based security sufficient
>> on an intranet? How much security is enough security, and where does it
>> cross the line into overkill?
>>
>>
>> - Kevin
>>
>
>
>
>
>
>
More information about the bind-users
mailing list