Hi Greg, a TSIG key is *never* transmitted. A sender uses a TSIG key to generate a secure hash over the DNS content being sent, and sends the hash along with the DNS content. A receiver configured with the same key can then verify that hash. If it can, then it can apply the DNS content.
If someone is sniffing the wire between the client and server, they can see the DNS content. This usually doesn't matter, because the DNS is usually public anyway. However, if a man-in-the-middle tries to modify the packet in any way, then the receiver will detect the change, because the hash will not verify, and the receiver can reject that packet as invalid. DNS was NOT designed to be encrypted, because as I wrote above, it's usually public data anyway. If you want to encrypt your dynamic DNS update anyway (even though there's good reason to do this), then you need to send your update over an encrypted session of some kind. The DNS protocol itself has recently been updated to allow for encryption, using DTLS (DNS-over-TLS). But while DNS resolvers can use this to send queries to suitably configured servers, I don't think "nsupdate" can use DTLS just yet (someone please correct me if I'm wrong). So your only alternative is to use another secure protocol, such as SSH, with port forwarding, to send your dynamic updates to the server. BUT AGAIN, there is usually no need for this. Do NOT overcomplicate your design for no reason. Regards, Anand On 26/04/2021 16:04, Greg Donohoe wrote: > Thanks Anand. > When using this TSIG solution is the key visible (clear) within the DNS > packet being sent to the remote server or is it encrypted? > Is this communication secure? eg if someone is sitting on the wire sniffing > the packets, would they be able to extract the key ? > Or is the security of the communication done through the ACL and the key is > TSIG only used to allow me to make changes to the zone file? > The main reason why I was leaning towards SSH was to try to ensure that all > communication between local & remote was encrypted. > > Rgds, > Greg. > > On Fri, Apr 23, 2021 at 2:21 PM Anand Buddhdev <ana...@ripe.net> wrote: > >> On 23/04/2021 14:24, Greg Donohoe wrote: >> >> Hi Greg, >> >>> In regards to the nsupdate, what is the best way to secure the >> connection, >>> so to ensure that only my local server can make the amendments to the >>> remote server named & zone files? >>> I dont want anyone/anything else other than my local machine to make any >>> changes on my remote BIND server. >> >> You should create a TSIG key, and configure the zones on the remote >> server to only accept dynamic DNS updates signed by this key. And then >> use this key with nsupdate when sending your updates. Check the man page >> of nsupdate and look at the '-k' and '-y' options for using tsig keys. >> >> You can additionally also configure your remote BIND to accept updates >> only from certain IP addresses. For details on how to configure this, >> please read the excellent documentation (especially section 4.2.29 and >> the "allow-update" option): >> >> https://bind9.readthedocs.io/en/v9_16/ >> >> Regards, >> Anand Buddhdev >> > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
