DNSSEC question
Jim Reid
jim at rfc1035.com
Thu Nov 14 10:58:58 UTC 2002
>>>>> "Kevin" == viva <kevin_lee_18 at yahoo.com.au> writes:
Kevin> Hi all: I have used bind9 TSIG to encrypty + authenticate
Kevin> data zone transfer between the master DNS(s) and slave
Kevin> DNS(s). This works fine.
TSIG only provides authentication. It does not encrypt DNS data.
Kevin> However, TSIG are base on symmetric encryption (ie
Kevin> both master/slave servers have to share a secret key). This
Kevin> a problem scalabilty for key distribution. I have a look at
Kevin> the dnssec-key for public key. Most example talk about
Kevin> using dnssec for signing a zone and providing a chain of
Kevin> trust heriachy. But none of the example, give an example on
Kevin> authentication + encrypty zone data between master / slave
Kevin> server.
That's because DNSSEC does not encrypt DNS data either. It uses public
key crypto to sign resource records. These signatures can be validated
in a (currently theoretical) chain of trust all the way to the root.
You can find a pretty good tutorial on how to set up DNSSEC at
http://www.ripe.net/ripencc/pub-services/np/DISI/index.html
This is based on the new DS (Delegation Signer) stuff which is in
the BIND9.3 snapshots. So some of the detail will be different from
RFC2535-style DNSSEC that's supported in the current BIND9 releases.
There's not much point encrypting DNS data: the stuff is supposed to
be public after all. If you do want to do this, you'll probably need a
VPN using IPsec or something like that.
More information about the bind-users
mailing list