FQDNs in masters-list (was: Help: Secondary for...)
Kevin Darcy
kcd at daimlerchrysler.com
Wed Mar 7 19:07:06 UTC 2001
Jim Reid wrote:
> >>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
>
> Kevin> Well, actually, TSIG-authenticated Dynamic Updates work
> Kevin> fine, but this is rather beside the point: the original
> Kevin> suggestion called for signed *NOTIFYs*, not Dynamic
> Kevin> Updates. Signed NOTIFYs are technically illegal, but a
> Kevin> slight extension to RFC 1996 would permit them.
>
> What purpose would a signed NOTIFY serve? Really.
Well, in addition to the slave auto-configuration benefits we've been
talking about, perhaps signed NOTIFYs could eliminate the necessity for
a slave to do a serial-number query in between receiving & responding to
the NOTIFY, and doing the actual zone transfer. I gather that the reason
for the intermediate serial-number-query step is to prevent Denial of
Service attacks, and possibly also some forms of spoofing. But if the
SOA in the NOTIFY is *trusted*, the slave could conceivably just
dispense with the serial-number-query step.
- Kevin
More information about the bind-users
mailing list