Secondary DNS question...
Chuck Peters
cp at axs.org
Thu Jun 27 21:24:38 UTC 2013
On Thu, Jun 27, 2013 at 9:48 AM, SH Development <listaccount at starionline.com
> wrote:
> I have now moved all of my secondary to BuddyNS with much better
> redundancy...
They don't appear to support secure zone transfers with TKEY/TSIG or
DNSSEC. http://www.buddyns.com/faq/#dns-extensions
I haven't found any free or low cost secondary DNS providers that support
TSIG, although some support DNSSEC.
I have been trying to get up to date info on secure zone transfers and most
of what I have seen on the web seems out of date or incorrect. For example
most TSIG examples suggest using HMAC-MD5. The Wikipedia DNSSEC page,
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions says "Other
standards (not DNSSEC) are used to secure bulk data (such as a DNS zone
transfer <http://en.wikipedia.org/wiki/DNS_zone_transfer>) sent between DNS
servers." and points to the http://en.wikipedia.org/wiki/DNS_zone_transfer and
it doesn't even mention TKEY, TSIG, or DNSSEC and hints at using some other
backend database to secure transfers.
I'm not sure which crypto method would be best for securing zone transfers
and I haven't tested DNSSEC yet, but I have started using TSIG 512 bit
HMAC-SHA512. Perhaps some of you can point us to current best practices?
Thanks,
Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130627/c4a7b8f9/attachment-0001.html>
More information about the bind-users
mailing list