<div dir="ltr">Thank you for the excellent advise, it is a lot clearer to me now.<div>I am checking the nsupdate & TSIG man pages for additional knowledge.</div><div>Outside of these man pages , are there any other references (tutorials/videos) that you would recommend?</div><div>Particularly around the area of TSIG key generation & management best practices?</div><div><br></div><div>Rgds,</div><div>Greg.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 26, 2021 at 4:16 PM Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Anand Buddhdev <<a href="mailto:anandb@ripe.net" target="_blank">anandb@ripe.net</a>> wrote:<br>
><br>
<br>
Anand's advice is good, as usual :-)<br>
<br>
But a small pedantic point:<br>
<br>
> The DNS protocol itself has recently been updated to allow for<br>
> encryption, using DTLS (DNS-over-TLS).<br>
<br>
DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a<br>
spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for<br>
deploying it: DTLS combines all the disadvantages of UDP with all the<br>
disadvantages of TLS. (Or worse: DTLS has a more complicated state machine<br>
than normal TLS so there have been a bunch of DTLS-specific<br>
vulnerabilities which makes me very reluctant to deploy it.)<br>
<br>
There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and<br>
DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC.<br>
<br>
But right now, none of these are particularly easy to get working as<br>
transports for UPDATE, and as Anand said, it usually isn't necessary.<br>
<br>
I'm looking forward to zone transfers over TLS, because public key<br>
authentication (with client certificates) is a bit easier to deploy<br>
between different organizations than TSIG secret key authentication.<br>
There's not such a clear benefit for UPDATE-over-TLS where I'm sitting,<br>
apart from the neatness of having all authenticated traffic over TLS.<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> <a href="https://dotat.at/" rel="noreferrer" target="_blank">https://dotat.at/</a><br>
Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good.<br>
<br>
</blockquote></div>