Hi Michael! I think you mix up two unrelated topics. One, how your name servers are connected together and how routing and High-Availability is managed in your (virtual) network. The second thing is which protocol to use for zone transfers. IMO they have nothing to do with each other.
For the network part, other mailing lists may be better suited, For the DNS part, it depends on your policy, and what are the dangers you want to protect DNS zone transfers from. If you trust your internal network, and you are sure that the DNS never traverses public Internet (due to the VPN), then there is nothing the protect from and plain AXFR over TCP would be fine. If you want to protect your zone transfers also internally where there is no VPN anymore, then you need some more: - Protection from sniffing (e.g. your DNS data is not public, and has secrets inside): Then you need to use encryption on the application, i.e. XoT. Do not use XoT with ephemeral TLS as it is vulnerable to MITM. - Protection from manipulation: Here you can use either TSIG (with our without TLS) or XoT with mutual TLS TLS uses private and public keys for encryption and authentication, and either you use self-signed or public signed certificates. TSIG uses a pre-shared key Regards Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Michael De Roover Sent: Saturday, March 8, 2025 7:36 AM To: bind-users@lists.isc.org Subject: Some operational questions about TSIG / XoT Hi all, Currently I'm reading a couple of articles about TSIG and XoT, to better understand how XFR between networks can be done securely. For this, I am currently looking at these resources: - https://www.ietf.org/rfc/rfc9103.html - https://dnsprivacy.org/encrypted-zone-transfer/ - https://bind9.readthedocs.io/en/stable/chapter7.html#tsig Not directly related: - https://kb.isc.org/docs/aa-00851#example-3-adding-a-second-server Perhaps the footnote "Further information on TSIG" could use a re-reference to Chapter 7.5? Nonetheless, this is how I found the TSIG documentation. Currently, the network configuration would be three LANs that talk to each other over two VPNs (WireGuard). The primary LAN has 3 name servers, 1 primary and 2 secondaries. Only ns1 is expected to perform XFR, maybe ns2 if need be. Not sure how that affects operational availability vs. security. The secondary LAN is a more fleshed out version of a road warrior setup, it is what I take with me for travel. This has one or two name servers at most. Each of these networks has a local zone, for which it is a local primary and secondary for the other. The third network is just something internal to my laptop, so it can be a child of either of the previous networks, or whatever else that laptop connects to (via double NAT). They each communicate with each other via a gateway / set of VRRP gateways, over the WireGuard tunnels. During XFR receipt, the receiving DNS server sees the XFR as if it's coming from that local gateway. This is.. not ideal. So that's where TSIG or XoT would come into play. So far, it seems that TSIG is just a signed plaintext transfer, while XoT would encapsulate the whole thing in TLS. Both of them seem to have their merits, but would XoT be necessary if WireGuard is encrypting the "public" part of the connection anyway? Another thing I noticed in VRRP in particular, is that by default it uses anycast and just passes on the secret itself in plain to all network members. So anyone with a packet sniffer can just.. well, sniff it and pull a "look at me, I am the gateway now". Unicast is possible but not default and seemingly only for keepalived. How's the situation here with TSIG? Are the transactions only given a signature, or the shared secret itself? As far as XoT is concerned, I like that it adds another layer of encryption, but that would have to be self-signed. Also, how's that for troubleshooting? I'd rather not have to deal with the pain in the rear of TLS MiTM during such times. So far I think I'm more inclined towards just having WireGuard deal with that, and leave everything else transparent to me. But any amount of anycast or secrets exposure would be a dealbreaker here. What are your thoughts on this? N.B.: I liked this note in the views article: "DNS servers are social creatures and like to have company, so the operator of this network has decided to add a second DNS server." Your work on the ARM is amazing Suzanne, and indeed we/they are :) -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com<mailto:i...@nixmagic.com> Web: michael.de.roover.eu.org
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
