To:
dnssec@cafax.se
cc:
malin@sunet.se, adrian@sunet.se, jocke@sunet.se
From:
Måns Nilsson <mansaxel@sunet.se>
Date:
Sat, 12 Jan 2002 15:17:32 +0100
Content-Disposition:
inline
In-Reply-To:
<Pine.OSX.4.42.0201111759120.8222-100000@criollo.schlyter.pp.se>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Zone transfers in DNSSEC.
--On Friday, January 11, 2002 18:13:12 +0100 Jakob Schlyter <jakob@crt.se>
wrote:
> On Fri, 11 Jan 2002, Måns Nilsson wrote:
>
>> I have a question wrt secure zone transfers. The usual word -- as I
>> recall -- on securing them seems to be that one should use TSIG to
>> protect them, because DNSSEC in itself does not help with this specific
>> situation; no validation is done.
>
> the configuration of tsig has nothing to do with the signing of the zone
> itself. you can use tsig to protect the zone transfer of any zone - signed
> or not. tsig authenticates the zone transfer, and any other query between
> a pair of hosts if you like to, using a shared secret.
>
> there is some more, although very brief, information on tsig in the bind
> manual (arm) section 4.4.
Now, of TSIG operations and usage I'm quite aware. That is the easy part.
My question is whether my observation
that a nameserver with access to the pubkey for a given zone would
accept a tampered-with copy of that zone when received over AXFR
for slave purposes, either skipping the results of validation or
not performing any validation at all.
is a violation of section 5.6, "Zone Transfers" in RFC 2535.
My initial position was something like "zone transfers aren't validated so
you'll have to TSIG to protect them" which is sort of proven by my tests.
But section 5.6 talks about validating zone transfers.
Was my testing method flawed and misleading?
rgds,
--
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE