feature survey -- bind9 dnssec -- autogenerate missing signatures
Michael Richardson
mcr at sandelman.ottawa.on.ca
Thu Sep 4 14:34:18 UTC 2008
>>>>> "Jim" == Jim Reid <jim at rfc1035.com> writes:
Jim> Francis, this is all very well. People with DNSSEC clue will
Jim> use these sorts of beasts because they understand why keys need
Jim> to be properly protected. I'm far from convinced the typical
Jim> DNS admin (no DNSSEC clue) will understand this or deploy these
Jim> sorts of measures if they sign their zones. They'll inevitably
Jim> take the path of least resistance. Which would most probably
Jim> mean on-the-fly background signing if that was available and
Jim> the actual signing key on-line and in cleartext on the master
Jim> server.
Yes.
But, just remember: you haven't introduced any new attacks by having
the key available, unencrypted, on the DNS primary.
Someone who breaks into the DNS primary can change the zone already.
If you have the key online, the risk is the same.
Meanwhile, having signed zones has significantly reduced opportunities
for network attacks, so it's a win.
All security is a tradeoff.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
More information about the bind-workers
mailing list