tsig
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jan 24 23:56:39 UTC 2006
Gamer wrote:
>Two short questions:
>
>1. When I use a TSIG Keys and sniff the pakets during e.g. a zone
>transfer, are the records still in plain text? If not, do I need DNSSEC
>then?
>
>
AFAIK, neither of those actually encrypt the *data* in the DNS packets.
They just provide crypto-authentication. The purpose of DNS is to
publish information, after all, so most of the security efforts are
aimed at making the information *trustworthy* rather than indecipherable.
>2. Why exacly is it better to use TSIG to avoid man-in-the-middle
>attacks ? (instead of acls)
>
I assume you mean source-address-based ACLs, since ACLs can be based on
TSIG keys too.
The general assumption is that it's easier for the bad guys to spoof a
source IP address than it is for them to generate a verifiable
crypto-signature without access to the key. The latter would involve a
significant amount of number-crunching.
- Kevin
More information about the bind-users
mailing list