TSIG and SIG(0)
Jim Reid
jim at rfc1035.com
Mon Sep 27 15:09:43 UTC 2004
>>>>> "saravanan" == saravanan ganapathy <sarav_gsa at yahoo.com> writes:
saravanan> I need to configure dnssec to provide max security
saravanan> for zone transfers and dynamic updates. I have read
saravanan> some docs and understood that either TSIG or SIG(0) to
saravanan> be configured for this. Which one will be more secure?
It's impossible to answer that based on the information you've
provided. For starters, define "secure"... Or your threat model(s) and
trees. SIG(0) uses public-key crypto to authenticate dynamic DNS
updates. It can't be used for zone transfers. TSIG can be used for
authenticating both dynamic updates and zone transfers but relies on
the client and server having a shared secret.
saravanan> If possible, give the links to configure with bind9. (
saravanan> I searched lot and couldn't get a good document for
saravanan> 'SIG(0) howto')
Consult the list archives. Ed Lewis from ARIN gave a tutorial on
SIG(0) and TSIG at the RIPE meeting in Rhodes 2 years ago. The URL for
the slides has been posted in this list several times already. And
here it is again:
http://www.ripe.net/ripe/meetings/archive/ripe-43/tutorials/index.html#sdu
More information about the bind-users
mailing list