To:
dnssec@cafax.se
cc:
malin@sunet.se, adrian@sunet.se, jocke@sunet.se
From:
Måns Nilsson <mansaxel@sunet.se>
Date:
Fri, 11 Jan 2002 13:21:27 +0100
Content-Disposition:
inline
Sender:
owner-dnssec@cafax.se
Subject:
Zone transfers in DNSSEC.
Hi,
I have a question wrt secure zone transfers. The usual word -- as I recall
-- on securing them seems to be that one should use TSIG to protect them,
because DNSSEC in itself does not help with this specific situation; no
validation is done.
And this concurs with my tests of BIND 9.2.0[0].
But, on reading RFC 2535 I notice this passage:
5.6 Zone Transfers
The subsections below describe how full and incremental zone
transfers are secured.
SIG RRs secure all authoritative RRs transferred for both full and
incremental [RFC 1995] zone transfers. NXT RRs are an essential
element in secure zone transfers and assure that every authoritative
name and type will be present; however, if there are multiple SIGs
with the same name and type covered, a subset of the SIGs could be
sent as long as at least one is present and, in the case of unsigned
delegation point NS or glue A or AAAA RRs a subset of these RRs or
simply a modified set could be sent as long as at least one of each
type is included.
and a bit further down:
5.6.1 Full Zone Transfers
To provide server authentication that a complete transfer has
occurred, transaction authentication SHOULD be used on full zone
transfers. This provides strong server based protection for the
entire zone in transit.
So, what is the word?
--
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE
[0] This is how I tested:
* Set up zone on master, create keys, (self-)sign.
* Transfer zone key to slave OOB, include as trusted in named.conf,
set up slave zone directive, reload.
* modify the signed zone on the master, ie tamper with it, and reload.
(Now the SIGs shouldn't validate, right?)
* Stop the slave, remove the backup file, and start again.
* Watch a zone transfer being made from the master to the slave.
* Query the slave for a known tampered-with record, and get an AA
response back. AXFRen also work.
In my little head;) this looks like the slave skips checking on AXFRen?