Accessing internal zones over a VPN

[Anthony Chavez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 01 Mar 2004 19:24:09 -0500 Kevin Darcy <kcd at daimlerchrysler.com> wrote:
> Well, it's not going to be pretty however you implement it. What comes 
> to my mind is to set up the zones of interest as "stub" zones on a 
> separate nameserver, nameserver instance (running on a different 
> interface of the same box, using "listen-on") or (if you're willing to 
> upgrade to BIND 9) a separate "view", which serves only the 
> client-subset you care about. These "stub" zones would pull their NS/SOA 
> data from DNS2, and everything else in that nameserver (or nameserver 
> instance, or "view", depending on how you set it up) would forward to 
> the regular FW1 nameserver (or nameserver instance or "view") for normal 
> resolution.

I have still yet to implement this, but something occurred to me when I
was thinking about it the other day.

If I were to do this, wouldn't that mean that my internal zone would be
transferred over the Internet, making it entirely possible that a
malicious user armed with a packet sniffer could view it?

A quick glance over the ARM has given me the impression that TSIG, TKEY,
SIG(0) and DNSSEC will enable me to do this securely.  Is this
correct?  And is there anything that I should know beforehand before
attempting to enable these features?

Thanks.

- -- 
Anthony Chavez                             http://www.anthonychavez.org/
mailto:acc at anthonychavez.org                jabber:acc at anthonychavez.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAW36RbZTbIaRBRXERAuhjAJ0Q9j+LVP38HksyplN23J24wu7UuwCcCFyO
3lfXn8ey4aO+D7Eda3kbn6k=
=VfVk
-----END PGP SIGNATURE-----