DNSSEC and ISAKMP?
Alan Clegg
aclegg at isc.org
Sat Apr 17 01:04:22 UTC 2010
On 4/16/2010 4:03 PM, Roy Badami wrote:
>> DNSSEC and ISAKMP are not related.
>
> Well, that's no longer entirely true... AIUI Microsoft seem to have
> decided that in their DNSSEC implementation they will use IPsec (and
> hence IKE with GSS-API) to secure communications from the client to
> the validating resolver (rather than using GSS-TSIG, which is how they
> secure dynamic updates). So in the MS world, DNSSEC and ISAKMP *are*
> at least indirectly related.
>
> I have no idea whether this is likely to result in port 500 traffic to
> random non-participating nameservers, though - I would assume not but
> am prepared to be proved wrong.
Wow...
Good catch! I've read the Microsoft documentation on 'last mile' DNSSEC
goodness and yes, they do rely on IPSec to secure that portion of the
DNS transaction.
Thanks for pointing that out. It will definitely be interesting to see
if this increase in ISAKMP traffic is a side effect of DNSSEC deployment.
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100416/3bc88ad3/attachment.bin>
More information about the bind-users
mailing list