On Wed, Jun 20, 2018 at 7:30 PM Joe Abley <jab...@hopcount.ca> wrote:
> On Jun 20, 2018, at 19:07, Warren Kumari <war...@kumari.net> wrote: > > ... what I'd alway wanted[0] was to be able to setup my own recursive > name server somewhere on the Internet, and then only allow myself (and a > few of my closest friends) to be able to query it. > > For this particular use-case, why is SIG(0) better than TSIG? > Either might be fine in these small user scenarios. In the "only Warren" scenario, TSIG is probably simpler. For the "Warren and few close friends" scenario, it depends on how much he trusts those friends. If he trusts them not to spoof responses to him (if they are able to insert themselves as MITM attacker somehow), he could get away with a single shared symmetric TSIG key. If not, he'd have to provision distinct TSIG keys for himself, and each of the friends, which is more work, but still might be manageable if the set of friends is small enough - but SIG(0) is probably now looking attractive. If Warren and friends are doing their own validation of responses from the recursive server (note: most stubs today do not), then spoofing might be less of a concern, but there is still a lot of unsigned data out there. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
