On Thu, Jun 27, 2013 at 9:48 AM, SH Development <listacco...@starionline.com > wrote:
> I have now moved all of my secondary to BuddyNS with much better > redundancy... They don't appear to support secure zone transfers with TKEY/TSIG or DNSSEC. http://www.buddyns.com/faq/#dns-extensions I haven't found any free or low cost secondary DNS providers that support TSIG, although some support DNSSEC. I have been trying to get up to date info on secure zone transfers and most of what I have seen on the web seems out of date or incorrect. For example most TSIG examples suggest using HMAC-MD5. The Wikipedia DNSSEC page, http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions says "Other standards (not DNSSEC) are used to secure bulk data (such as a DNS zone transfer <http://en.wikipedia.org/wiki/DNS_zone_transfer>) sent between DNS servers." and points to the http://en.wikipedia.org/wiki/DNS_zone_transfer and it doesn't even mention TKEY, TSIG, or DNSSEC and hints at using some other backend database to secure transfers. I'm not sure which crypto method would be best for securing zone transfers and I haven't tested DNSSEC yet, but I have started using TSIG 512 bit HMAC-SHA512. Perhaps some of you can point us to current best practices? Thanks, Chuck
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
