[Pdns-users] How to sign superslave transfers?
Zdeněk Bělehrádek
zdenek.belehradek at superhosting.cz
Thu Jan 3 15:45:17 UTC 2013
Hi,
our company runs two authoritative DNS servers, currently we use BIND.
Some time ago we found about PowerDNS and exploring it's benefits, like
simpler administration of zones and easy to use DNSSEC.
Some our customers use one of our servers as backup of their own DNS. We
would like to configure our own server as superslave so we won't have
tediously add all the new domains they add.
I don't like the idea sending AXFR data totally unsecured. PowerDNS checks
IP address, but I don't consider it safe enough. Today, we sign all the
transfers with TSIG. From what I read in the manual, you have to assign
TSIG key to zone before you can use it. Superslave don't know anything
about zones - it's point is create zone when notified.
We considered using IPSec, but it is definitely not simple to manage. I
read something abou Lua, but I am trying to avoid Lua scripting because
don't have any experience with it.
Is there any way to sign superslave notifications, or at least following
transfers, so attacker won't be able to send his own zones to our servers?
Ideally the ones that use only PowerDNS and backing database.
With Regards,
Zdeněk Bělehrádek
--
mysql> SELECT * FROM date WHERE d IS NULL AND d IS NOT NULL;
+---------------------+
| d |
+---------------------+
| 0000-00-00 00:00:00 |
+---------------------+
1 row in set (0.00 sec)
More information about the Pdns-users
mailing list