Some operational questions about TSIG / XoT

Michael De Roover isc at nixmagic.com
Sat Mar 8 06:35:37 UTC 2025 

Hi all,

Currently I'm reading a couple of articles about TSIG and XoT, to better understand how XFR 
between networks can be done securely. For this, I am currently looking at these resources:

- https://www.ietf.org/rfc/rfc9103.html[1]
- https://dnsprivacy.org/encrypted-zone-transfer/[2]
- https://bind9.readthedocs.io/en/stable/chapter7.html#tsig[3]

Not directly related:
- https://kb.isc.org/docs/aa-00851#example-3-adding-a-second-server[4]
Perhaps the footnote "Further information on TSIG" could use a re-reference to Chapter 7.5? 
Nonetheless, this is how I found the TSIG documentation.

Currently, the network configuration would be three LANs that talk to each other over two VPNs 
(WireGuard). The primary LAN has 3 name servers, 1 primary and 2 secondaries. Only ns1 is 
expected to perform XFR, maybe ns2 if need be. Not sure how that affects operational 
availability vs. security.

The secondary LAN is a more fleshed out version of a road warrior setup, it is what I take with 
me for travel. This has one or two name servers at most. Each of these networks has a local 
zone, for which it is a local primary and secondary for the other.

The third network is just something internal to my laptop, so it can be a child of either of the 
previous networks, or whatever else that laptop connects to (via double NAT).

They each communicate with each other via a gateway / set of VRRP gateways, over the 
WireGuard tunnels. During XFR receipt, the receiving DNS server sees the XFR as if it's coming 
from that local gateway. This is.. not ideal.

So that's where TSIG or XoT would come into play. So far, it seems that TSIG is just a signed 
plaintext transfer, while XoT would encapsulate the whole thing in TLS. Both of them seem to 
have their merits, but would XoT be necessary if WireGuard is encrypting the "public" part of the 
connection anyway?

Another thing I noticed in VRRP in particular, is that by default it uses anycast and just passes 
on the secret itself in plain to all network members. So anyone with a packet sniffer can just.. 
well, sniff it and pull a "look at me, I am the gateway now". Unicast is possible but not default 
and seemingly only for keepalived. How's the situation here with TSIG? Are the transactions only 
given a signature, or the shared secret itself?

As far as XoT is concerned, I like that it adds another layer of encryption, but that would have to 
be self-signed. Also, how's that for troubleshooting? I'd rather not have to deal with the pain in 
the rear of TLS MiTM during such times. So far I think I'm more inclined towards just having 
WireGuard deal with that, and leave everything else transparent to me. But any amount of 
anycast or secrets exposure would be a dealbreaker here.

What are your thoughts on this?

N.B.: I liked this note in the views article: "DNS servers are social creatures and like to have 
company, so the operator of this network has decided to add a second DNS server."

Your work on the ARM is amazing Suzanne, and indeed we/they are :)

-- 
Met vriendelijke groet,
Michael De Roover

Mail: isc at nixmagic.com
Web: michael.de.roover.eu.org

--------
[1] https://www.ietf.org/rfc/rfc9103.html
[2] https://dnsprivacy.org/encrypted-zone-transfer/
[3] https://bind9.readthedocs.io/en/stable/chapter7.html#tsig
[4] https://kb.isc.org/docs/aa-00851#example-3-adding-a-second-server
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250308/803ccca2/attachment.htm>

More information about the bind-users mailing list