Thank you for the excellent advise, it is a lot clearer to me now. I am checking the nsupdate & TSIG man pages for additional knowledge. Outside of these man pages , are there any other references (tutorials/videos) that you would recommend? Particularly around the area of TSIG key generation & management best practices?
Rgds, Greg. On Mon, Apr 26, 2021 at 4:16 PM Tony Finch <d...@dotat.at> wrote: > Anand Buddhdev <ana...@ripe.net> wrote: > > > > Anand's advice is good, as usual :-) > > But a small pedantic point: > > > The DNS protocol itself has recently been updated to allow for > > encryption, using DTLS (DNS-over-TLS). > > DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a > spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for > deploying it: DTLS combines all the disadvantages of UDP with all the > disadvantages of TLS. (Or worse: DTLS has a more complicated state machine > than normal TLS so there have been a bunch of DTLS-specific > vulnerabilities which makes me very reluctant to deploy it.) > > There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and > DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC. > > But right now, none of these are particularly easy to get working as > transports for UPDATE, and as Anand said, it usually isn't necessary. > > I'm looking forward to zone transfers over TLS, because public key > authentication (with client certificates) is a bit easier to deploy > between different organizations than TSIG secret key authentication. > There's not such a clear benefit for UPDATE-over-TLS where I'm sitting, > apart from the neatness of having all authenticated traffic over TLS. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> https://dotat.at/ > Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good. > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users