Secondary DNS question...

Mark Andrews marka at
Thu Jun 27 22:01:27 UTC 2013

In message <CAA+8RQZAC727V1KjRvVS4jf4ukM13eaU5di2ET+uBc-G2Sa5jg at>
, Chuck Peters writes:
> On Thu, Jun 27, 2013 at 9:48 AM, SH Development <listaccount at> wrote:
> >  I have now moved all of my secondary to BuddyNS with much better
> > redundancy...
> They don't appear to support secure zone transfers with TKEY/TSIG or
> I haven't found any free or low cost secondary DNS providers that support
> TSIG, although some support DNSSEC.
> I have been trying to get up to date info on secure zone transfers and
> most of what I have seen on the web seems out of date or incorrect.  For
> example most TSIG examples suggest using HMAC-MD5.  The Wikipedia DNSSEC
> page,
> says "Other standards (not DNSSEC) are used to secure bulk data (such as
> a DNS zone transfer <>)
> sent between DNS servers." and points to the
> and it doesn't even
> mention TKEY, TSIG, or DNSSEC and hints at using some other backend
> database to secure transfers.
> I'm not sure which crypto method would be best for securing zone
> transfers and I haven't tested DNSSEC yet, but I have started using TSIG
> 512 bit HMAC-SHA512.  Perhaps some of you can point us to current best
> practices?

Securing zone transfers is about access control, ensuring you are
talking to the party you think you (both ways) are and detecting
tappering of the stream.  TSIG gives you that.

While MD5 is weak and is being phased out there is no evidence that
HMAC-MD5 suffers as a result of those weaknesses.

> Thanks,
> Chuck

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list