Dynamic/Secure DNS
Cricket Liu
cricket at acmebw.com
Thu Oct 21 17:54:57 UTC 1999
> I hear that BIND 8.2.1 supports both dynamic and secure DNS.
> Is this support related only to the name server part or the resolver
> activelly supports it as well?
Most of the support is in the name server.
> Let me try to explain:
>
> I understand that this is the support I can get:
> 1. The name server part understands and handles the new KEY, SIG, NXT,
> TSIG and TKEY resource records and and also the new UPDATE opcode
> and its rules.
Yes.
> 2. The resolver part acts only as helper for the name server part to
handle
> the stuff mentioned above, should any communication to other name servers
> be required.
> Am I right?
No. The name server handles communication with other name servers.
> What am I trying to find out is:
> 1. can the resolver update the A and PTR records when the local IP
> configuration changes (host, domain, IP address). Moreover, can it use
> Secure DNS to do the updates, either by default or only if it gets back a
> REFUSED.
You could use the resolver routines to write code that did this, but it
doesn't do this out of the box. There's support for sending TSIG-
signed updates in the resolver routines now, I believe.
> 2. what are the supported security (cryptographical) mechanisms
> (RSA/MD5, DSA, Kerberos, GSS etc?)
Depends on whether you're talking about DNSSEC or TSIG. DNSSEC
supports DSA/DSS and RSA. TSIG supports (HMAC-)MD5.
> Any insight appreciated.
> Can someone point me out to some documentation? I read the RFCs, but I
> want to know details about BIND's implementation.
There's no substitute for the source code.
cricket
Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com
Attend our next DNS and BIND class! See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.
More information about the bind-users
mailing list