Reasons no to use TSIG?

Walkenhorst, Benjamin Benjamin.Walkenhorst at
Wed Oct 6 10:59:09 UTC 2004

Hello everyone,

I am exploring the possibilities TSIG offers; for the environment I work
in TSIG seems fine, since it is easy to set up and offers a reasonable degree
of security from employees doing zone transfers or hammering my machines
with recursive queries.

And since I am about to use TSIG as widely as possible, I would like to know
if there are any reasons not to use TSIG.

I can think of just one: TSIG cannot be used to verify zone-content the way DNSSEC
can. Also, regular queries don't get covered by this.

But otherwise?
(In case it matters, we currently have a test setup where TSIG is used for
"allow-transfer {}" and "allow-notify {}".)

Benjamin Walkenhorst

More information about the bind-users mailing list