tsig

[Kevin Darcy]

Gamer wrote:

>Two short questions:
>
>1. When I use a TSIG Keys and sniff the pakets during e.g. a zone
>transfer, are the records still in plain text? If not, do I need DNSSEC
>then?
>  
>
AFAIK, neither of those actually encrypt the *data* in the DNS packets. 
They just provide crypto-authentication. The purpose of DNS is to 
publish information, after all, so most of the security efforts are 
aimed at making the information *trustworthy* rather than indecipherable.

>2. Why exacly is it better to use TSIG to avoid man-in-the-middle
>attacks ? (instead of acls)
>
I assume you mean source-address-based ACLs, since ACLs can be based on 
TSIG keys too.

The general assumption is that it's easier for the bad guys to spoof a 
source IP address than it is for them to generate a verifiable 
crypto-signature without access to the key. The latter would involve a 
significant amount of number-crunching.

                                                                         
                                       - Kevin