Do I need TSIG for zone transfer on an intranet env?

April xiaoxia2005a at yahoo.com
Sun Jul 2 16:13:42 UTC 2006


Sounds like you are the person also working on DNS, which is quite
different from the Security people working in a large enterprise.

However, if you implement TSIG, then you may have to come back using
ACL to allow Windows DNS for zone transfer.  My understanding is that
Windows DNS will not support TSIG to do zone transfer from BIND?

Joseph S D Yao wrote:
> On Wed, Jun 28, 2006 at 06:15:31PM -0700, April wrote:
> >
> > that's true .. however how many people in Securiy really know DNS?  ;-)
> >
> > What I should ask probably is in general, should ACL or TSIG be
> > implemented in an intranet env?
>
> I do.  It helps me check off a box that someone comes to ask me about
> every once in a while, and it is virtually no trouble at all.
>
> The trouble comes when you need to schedule regular key updates, and
> figuring out how to do that if you don't have remote 'ssh' access
> yourself.
>
> --
> Joe Yao
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.



More information about the bind-users mailing list