On Mon, Feb 25, 2019 at 05:04:01PM +0100, Otto Moerbeek wrote: > I've done some work in a related area, bootstrapping ntpd while using > a DNSSEC enabled resolver. If the time is off, that does not work atm. > That work was never finished because of reasons.
*nod* yeah time is a decisive factor. Right now I have the time, but who knows when it will change (my resume is somewhere in processing). > But I think the TSIG use case is pretty limited. Who uses it other > than for zone transfers? BIND users like me use it. It's a good solution when you're on a dynamic IP and don't want to use the ISP's nameservers. I use two vps's instead for my lookups. TSIG is having a passworded access to recursive DNS. Another potential user of TSIG is dynamic dns updaters, you know isc-dhcpd updates BIND via dynamic DNS. Inside the OpenBSD community people probably don't use it other than for zone transfers though since I think TSIG for queries is lacking in unbound, but I'm only guessing here. I did some googling years ago and found that there was not much interest in putting it in unbound, but my memory is weak on this. > -Otto Best Regards, -peter
