[Pdns-users] How to sign superslave transfers?

Zdeněk Bělehrádek zdenek.belehradek at superhosting.cz
Thu Jan 3 15:45:17 UTC 2013


Hi,

our company runs two authoritative DNS servers, currently  we use BIND.  
Some time ago we found about PowerDNS and exploring it's benefits, like  
simpler administration of zones and easy to use DNSSEC.

Some our customers use one of our servers as backup of their own DNS. We  
would like to configure our own server as superslave so we won't have  
tediously add all the new domains they add.

I don't like the idea sending AXFR data totally unsecured. PowerDNS checks  
IP address, but I don't consider it safe enough. Today, we sign all the  
transfers with TSIG. From what I read in the manual, you have to assign  
TSIG key to zone before you can use it. Superslave don't know anything  
about zones - it's point is create zone when notified.

We considered using IPSec, but it is definitely not simple to manage.  I  
read something abou Lua, but I am trying to avoid Lua scripting because  
don't have any experience with it.

Is there any way to sign superslave notifications, or at least following  
transfers, so attacker won't be able to send his own zones to our servers?  
Ideally the ones that use only PowerDNS and backing database.

With Regards,
Zdeněk Bělehrádek

-- 
mysql> SELECT * FROM date WHERE d IS NULL AND d IS NOT NULL;
+---------------------+
| d                   |
+---------------------+
| 0000-00-00 00:00:00 |
+---------------------+
1 row in set (0.00 sec)



More information about the Pdns-users mailing list