How secure is rndc?
Chris Thompson
cet1 at hermes.cam.ac.uk
Thu Dec 21 22:33:29 UTC 2006
On Dec 21 2006, Len Conrad wrote:
>>Then share with us, please? Yes or no?
>
>all of the above.
>
>securing RNDC transactions with TSIG is optional.
Should we really be calling this securing-by-key "TSIG"? As that is
a mechanism for signing DNS requests, and I take it that what goes
over the RNDC channel is somewhat different.
"Moral equivalent of TSIG" I can believe.
>generate a key,
>put the same key statement in rndc.conf and named.conf, and
>your RNDC is TSIG secured.
Personally, I always put keys in a separate file "include"d from
named.conf, to keep control over its permissions. (If rndc is being
used from the local system, you can make it use the same file via -k.)
What would worry me about the visibility of the unencrypted data passing
over possibly snoopable networks is replay attacks. The time window
("Fudge") in the TSIGs generated by nsupdate is fairly generous: what
is the corresponding value for rndc? DNS updates can be made inherently
safe against replay by using PREREQs, but I can think of lots of rndc
commands I would hate to have repeated! (querylog? dontcha just love
those toggle switches? :-))
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list