Using RNDC to control remote access to my BIND server

Tony Finch dot at
Mon Apr 26 15:16:46 UTC 2021

Anand Buddhdev <anandb at> wrote:

Anand's advice is good, as usual :-)

But a small pedantic point:

> The DNS protocol itself has recently been updated to allow for
> encryption, using DTLS (DNS-over-TLS).

DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for
deploying it: DTLS combines all the disadvantages of UDP with all the
disadvantages of TLS. (Or worse: DTLS has a more complicated state machine
than normal TLS so there have been a bunch of DTLS-specific
vulnerabilities which makes me very reluctant to deploy it.)

There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and
DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC.

But right now, none of these are particularly easy to get working as
transports for UPDATE, and as Anand said, it usually isn't necessary.

I'm looking forward to zone transfers over TLS, because public key
authentication (with client certificates) is a bit easier to deploy
between different organizations than TSIG secret key authentication.
There's not such a clear benefit for UPDATE-over-TLS where I'm sitting,
apart from the neatness of having all authenticated traffic over TLS.

f.anthony.n.finch  <dot at>
Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good.

More information about the bind-users mailing list