DNSSEC question

[Jim Reid]

>>>>> "Kevin" == viva  <kevin_lee_18 at yahoo.com.au> writes:

    Kevin> Hi all: I have used bind9 TSIG to encrypty + authenticate
    Kevin> data zone transfer between the master DNS(s) and slave
    Kevin> DNS(s). This works fine.

TSIG only provides authentication. It does not encrypt DNS data.

    Kevin>      However, TSIG are base on symmetric encryption (ie
    Kevin> both master/slave servers have to share a secret key). This
    Kevin> a problem scalabilty for key distribution. I have a look at
    Kevin> the dnssec-key for public key. Most example talk about
    Kevin> using dnssec for signing a zone and providing a chain of
    Kevin> trust heriachy. But none of the example, give an example on
    Kevin> authentication + encrypty zone data between master / slave
    Kevin> server.

That's because DNSSEC does not encrypt DNS data either. It uses public
key crypto to sign resource records. These signatures can be validated
in a (currently theoretical) chain of trust all the way to the root.

You can find a pretty good tutorial on how to set up DNSSEC at
	http://www.ripe.net/ripencc/pub-services/np/DISI/index.html

This is based on the new DS (Delegation Signer) stuff which is in
the BIND9.3 snapshots. So some of the detail will be different from
RFC2535-style DNSSEC that's supported in the current BIND9 releases.

There's not much point encrypting DNS data: the stuff is supposed to
be public after all. If you do want to do this, you'll probably need a
VPN using IPsec or something like that.