[Pdns-users] Regarding the warning about TSIG and AXFR requests

Mohamed Lrhazi lrhazi at gmail.com
Thu Nov 3 04:26:50 UTC 2011


 I submitted ticket: http://wiki.powerdns.com/trac/ticket/400

On Tue, Nov 1, 2011 at 2:19 AM, Peter van Dijk
<peter.van.dijk at netherlabs.nl> wrote:
> Hello Mohamed,
>
> On Nov 1, 2011, at 4:31 , Mohamed Lrhazi wrote:
>
>> On Mon, Oct 31, 2011 at 11:20 AM, Peter van Dijk
>> <peter.van.dijk at netherlabs.nl> wrote:
>>>
>>> I have checked the relevant code, and the answer is: yes, one would not be protected from content modification/injection. An attacker that can modify TCP-streams between master and slave can inject records.
>>>
>>> Options to secure master/slave communication include:
>>> - making sure the transfer happens over some kind of VPN (OpenSSH, IPSEC)
>>> - using MySQL-replication (with SSL!) instead of AXFR
>>>
>>
>> Does anyone know if there are plans to complete TSIG implementation in
>> PowerDNS, in future versions?
>
> In theory, every thinkable improvement to PowerDNS is expected to come in the future. In practice, we prioritize based on our own perception of what's important, on what requests come by on the mailing list a lot, and, very importantly, on what customers with paid support contracts are asking for.
>
> You should at least file a bug at http://wiki.powerdns.com/ to make sure we don't forget this issue exists at all.
>
> Kind regards,
> Peter van Dijk



More information about the Pdns-users mailing list