[Pdns-users] How to sign superslave transfers?

[Ruben d'Arco]

Hi Zdeněk,

PowerDNS's supermaster/superslave functionality is only based on IP-address security.
Securing that with TSIG is a good idea, but it is not in PowerDNS.

You can submit feature requests on http://wiki.powerdns.com/trac 
The username/password is on the front page.

Kind regards,
	Ruben


On Thu, Jan 03, 2013 at 03:45:17PM -0000, Zdeněk Bělehrádek wrote:
> Hi,
> 
> our company runs two authoritative DNS servers, currently  we use
> BIND. Some time ago we found about PowerDNS and exploring it's
> benefits, like simpler administration of zones and easy to use
> DNSSEC.
> 
> Some our customers use one of our servers as backup of their own
> DNS. We would like to configure our own server as superslave so we
> won't have tediously add all the new domains they add.
> 
> I don't like the idea sending AXFR data totally unsecured. PowerDNS
> checks IP address, but I don't consider it safe enough. Today, we
> sign all the transfers with TSIG. From what I read in the manual,
> you have to assign TSIG key to zone before you can use it.
> Superslave don't know anything about zones - it's point is create
> zone when notified.
> 
> We considered using IPSec, but it is definitely not simple to
> manage.  I read something abou Lua, but I am trying to avoid Lua
> scripting because don't have any experience with it.
> 
> Is there any way to sign superslave notifications, or at least
> following transfers, so attacker won't be able to send his own zones
> to our servers? Ideally the ones that use only PowerDNS and backing
> database.
> 
> With Regards,
> Zdeněk Bělehrádek
> 
> -- 
> mysql> SELECT * FROM date WHERE d IS NULL AND d IS NOT NULL;
> +---------------------+
> | d                   |
> +---------------------+
> | 0000-00-00 00:00:00 |
> +---------------------+
> 1 row in set (0.00 sec)
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users