To:
Måns Nilsson <mansaxel@sunet.se>
Cc:
dnssec@cafax.se, <malin@sunet.se>, <adrian@sunet.se>, <jocke@sunet.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 11 Jan 2002 18:13:12 +0100 (CET)
In-Reply-To:
<75130000.1010751687@slimsixten>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Zone transfers in DNSSEC.
On Fri, 11 Jan 2002, Måns Nilsson wrote: > I have a question wrt secure zone transfers. The usual word -- as I recall > -- on securing them seems to be that one should use TSIG to protect them, > because DNSSEC in itself does not help with this specific situation; no > validation is done. the configuration of tsig has nothing to do with the signing of the zone itself. you can use tsig to protect the zone transfer of any zone - signed or not. tsig authenticates the zone transfer, and any other query between a pair of hosts if you like to, using a shared secret. there is some more, although very brief, information on tsig in the bind manual (arm) section 4.4. jakob