Using RNDC to control remote access to my BIND server

Greg Donohoe dubgregd at
Tue Apr 27 09:27:12 UTC 2021

Thank you for the excellent advise, it is a lot clearer to me now.
I am checking the nsupdate & TSIG man pages for additional knowledge.
Outside of these man pages , are there any other references
(tutorials/videos) that you would recommend?
Particularly around the area of TSIG key generation & management best


On Mon, Apr 26, 2021 at 4:16 PM Tony Finch <dot at> wrote:

> Anand Buddhdev <anandb at> wrote:
> >
> Anand's advice is good, as usual :-)
> But a small pedantic point:
> > The DNS protocol itself has recently been updated to allow for
> > encryption, using DTLS (DNS-over-TLS).
> DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
> spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for
> deploying it: DTLS combines all the disadvantages of UDP with all the
> disadvantages of TLS. (Or worse: DTLS has a more complicated state machine
> than normal TLS so there have been a bunch of DTLS-specific
> vulnerabilities which makes me very reluctant to deploy it.)
> There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and
> DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC.
> But right now, none of these are particularly easy to get working as
> transports for UPDATE, and as Anand said, it usually isn't necessary.
> I'm looking forward to zone transfers over TLS, because public key
> authentication (with client certificates) is a bit easier to deploy
> between different organizations than TSIG secret key authentication.
> There's not such a clear benefit for UPDATE-over-TLS where I'm sitting,
> apart from the neatness of having all authenticated traffic over TLS.
> Tony.
> --
> f.anthony.n.finch  <dot at>
> Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list