DNSSEC ISSUE (Msg: Request is not signed)
Edward Lewis
Ed.Lewis at neustar.biz
Tue Jul 17 15:17:32 UTC 2007
At 17:03 +0900 7/17/07, Curt Sampson wrote:
>Actually, my main interest is just in make sure that my zones are valid
>before I load them into my server. (I.e., they got from the place where
>I sign them out to my servers without damage.) Is there a tool kicking
>around that validates them?
Most folks rely on VPN and host security to make sure the zone gets
to the master okay (if "valid" means uncorrupted). After that you
have the option of TSIG covering XFR's or you can use some protected
non-DNS-standard (yet widely popular or some-other-standard) means of
replicating the data on each server.
I.e., most deal with such a threat (corruption between the signer and
the server) via prevention instead of detection. Partly because the
preventative measures are already in place for other institutional
activities (like protecting the web server).
If you mean "valid" as in syntactically correct, folks rely on BIND
to tell them. If you mean complete, then you can do use file
checksums. There are many ways to define "valid" come to think of it.
More or less, the DNS protocol engineers punted that question to the
host security and operations staff people.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Think glocally. Act confused.
More information about the bind-users
mailing list