Viktor Dukhovni wrote: > On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote: > > > RPZ is not the ideal, but it works, and goes beyond being deployable–it is > > deployed. > > I am curious to understand how RPZ zone transfers are (intended to > be) secured. It sounds like the reason for standardizing RPZ is > to allow interoperable sharing of policies via replication of zone > data, and so an appropriate security mechanism would seem to be > desirable here to authenticate the transfer of data from the RPZ > master zone. Is there a related specification for that?
Are you looking for RFC 2845, "Secret Key Transaction Authentication for DNS (TSIG)"? That authenticates the transaction but the contents of the zone is transferred in the clear. (I don't think there are any servers that implement DNS-over-TLS for zone transfers.) -- Robert Edmonds _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
