DNSSEC ISSUE (Msg: Request is not signed)
Curt Sampson
cjs at cynic.net
Tue Jul 17 21:30:03 UTC 2007
On Tue, 17 Jul 2007, Edward Lewis wrote:
> At 17:03 +0900 7/17/07, Curt Sampson wrote:
>
>> Actually, my main interest is just in make sure that my zones are valid
>> before I load them into my server. (I.e., they got from the place where
>> I sign them out to my servers without damage.) Is there a tool kicking
>> around that validates them?
>
> Most folks rely on VPN and host security to make sure the zone gets to the
> master okay (if "valid" means uncorrupted). After that you have the option
> of TSIG covering XFR's....
Which is exactly what I do right now. And I can't say I've ever had an
issue with it. However, this detects neither errors in the protocols
running above the VPN nor errors in the signing itself. And that makes
me rather nervous given how much stuff would stop working if my master
server loaded some incorrectly signed data.
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974
http://www.starling-software.com
The power of accurate observation is commonly called cynicism
by those who have not got it. --George Bernard Shaw
More information about the bind-users
mailing list