mdamrose at elgin.cc.il.us
Mon Jun 3 14:37:15 UTC 2002
<rwatson at OFDA.NET> wrote in message news:ad8957$cld9$1 at isrv4.isc.org...
> So, what is the carot for using TSIG signed transactions if only to make
> zone marginally more secure?
Kevin did not say that TSIG is marginally more secure. He said that using a
combination of TSIG and non-TSIG is marginally more secure.
In much the same way, if you have 2 doors - locking one of them is
marginally more secure than not locking any at all. Some thief might try
the locked one and go away. Others will try the unlocked door.
> -----Original Message-----
> From: Kevin Darcy
> To: comp-protocols-dns-bind at isc.org
> Sent: 5/31/02 11:45 AM
> Subject: Re: TSIG/IP Transactions
> rwatson at OFDA.NET wrote:
> > Hello,
> > We host our own primary DNS, one slave and we also have our ISP's each
> > up as slaves as well.
> > For redundancy and diversity we use 1 slave from each ISP, plus our
> > I would like to use TSIG, however, only 1 of the ISP's supports TSIG
> > transaction, leaving 2 slave servers that don't.
> > My question is, if I use the non-TSIG slaves and also begin using TSIG
> > enabled master/slave servers, will I be potentially compromising,
> > keys or otherwise weakening the security of the zone? (In any way
> shape or
> > form?)(Because I am cohabitating TSIG with non TSIG zone transfers???)
> No, you won't be leaking keys. But if you consider it "leakage" to allow
> anyone to zone transfer your zones, then I guess you have "leakage". You
> could, of course, always restrict zone transfers with a combination of
> TSIG keys and/or source IP addresses, which would make it marginally
> secure than simply opening it up to the world...
> - Kevin
More information about the bind-users