Using RNDC to control remote access to my BIND server
Greg Donohoe
dubgregd at gmail.com
Tue Apr 27 09:27:12 UTC 2021
Thank you for the excellent advise, it is a lot clearer to me now.
I am checking the nsupdate & TSIG man pages for additional knowledge.
Outside of these man pages , are there any other references
(tutorials/videos) that you would recommend?
Particularly around the area of TSIG key generation & management best
practices?
Rgds,
Greg.
On Mon, Apr 26, 2021 at 4:16 PM Tony Finch <dot at dotat.at> wrote:
> Anand Buddhdev <anandb at ripe.net> wrote:
> >
>
> Anand's advice is good, as usual :-)
>
> But a small pedantic point:
>
> > The DNS protocol itself has recently been updated to allow for
> > encryption, using DTLS (DNS-over-TLS).
>
> DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
> spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for
> deploying it: DTLS combines all the disadvantages of UDP with all the
> disadvantages of TLS. (Or worse: DTLS has a more complicated state machine
> than normal TLS so there have been a bunch of DTLS-specific
> vulnerabilities which makes me very reluctant to deploy it.)
>
> There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and
> DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC.
>
> But right now, none of these are particularly easy to get working as
> transports for UPDATE, and as Anand said, it usually isn't necessary.
>
> I'm looking forward to zone transfers over TLS, because public key
> authentication (with client certificates) is a bit easier to deploy
> between different organizations than TSIG secret key authentication.
> There's not such a clear benefit for UPDATE-over-TLS where I'm sitting,
> apart from the neatness of having all authenticated traffic over TLS.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> https://dotat.at/
> Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210427/50434be9/attachment.htm>
More information about the bind-users
mailing list