Hi all, Currently I'm reading a couple of articles about TSIG and XoT, to better understand how XFR between networks can be done securely. For this, I am currently looking at these resources:
- https://www.ietf.org/rfc/rfc9103.html[1] - https://dnsprivacy.org/encrypted-zone-transfer/[2] - https://bind9.readthedocs.io/en/stable/chapter7.html#tsig[3] Not directly related: - https://kb.isc.org/docs/aa-00851#example-3-adding-a-second-server[4] Perhaps the footnote "Further information on TSIG" could use a re-reference to Chapter 7.5? Nonetheless, this is how I found the TSIG documentation. Currently, the network configuration would be three LANs that talk to each other over two VPNs (WireGuard). The primary LAN has 3 name servers, 1 primary and 2 secondaries. Only ns1 is expected to perform XFR, maybe ns2 if need be. Not sure how that affects operational availability vs. security. The secondary LAN is a more fleshed out version of a road warrior setup, it is what I take with me for travel. This has one or two name servers at most. Each of these networks has a local zone, for which it is a local primary and secondary for the other. The third network is just something internal to my laptop, so it can be a child of either of the previous networks, or whatever else that laptop connects to (via double NAT). They each communicate with each other via a gateway / set of VRRP gateways, over the WireGuard tunnels. During XFR receipt, the receiving DNS server sees the XFR as if it's coming from that local gateway. This is.. not ideal. So that's where TSIG or XoT would come into play. So far, it seems that TSIG is just a signed plaintext transfer, while XoT would encapsulate the whole thing in TLS. Both of them seem to have their merits, but would XoT be necessary if WireGuard is encrypting the "public" part of the connection anyway? Another thing I noticed in VRRP in particular, is that by default it uses anycast and just passes on the secret itself in plain to all network members. So anyone with a packet sniffer can just.. well, sniff it and pull a "look at me, I am the gateway now". Unicast is possible but not default and seemingly only for keepalived. How's the situation here with TSIG? Are the transactions only given a signature, or the shared secret itself? As far as XoT is concerned, I like that it adds another layer of encryption, but that would have to be self-signed. Also, how's that for troubleshooting? I'd rather not have to deal with the pain in the rear of TLS MiTM during such times. So far I think I'm more inclined towards just having WireGuard deal with that, and leave everything else transparent to me. But any amount of anycast or secrets exposure would be a dealbreaker here. What are your thoughts on this? N.B.: I liked this note in the views article: "DNS servers are social creatures and like to have company, so the operator of this network has decided to add a second DNS server." Your work on the ARM is amazing Suzanne, and indeed we/they are :) -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com Web: michael.de.roover.eu.org -------- [1] https://www.ietf.org/rfc/rfc9103.html [2] https://dnsprivacy.org/encrypted-zone-transfer/ [3] https://bind9.readthedocs.io/en/stable/chapter7.html#tsig [4] https://kb.isc.org/docs/aa-00851#example-3-adding-a-second-server
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
