[dns-operations] security-aware stub resolver

Patrik Fältström patrik at frobbit.se
Fri May 23 14:39:57 UTC 2008

On 23 maj 2008, at 16.14, Edward Lewis wrote:

> E.g., there's not much need for TSIG if you are already performing  
> zone updates over a VPN.

ONLY if it is the case that the VPN and the TSIG security enclosure  
are both controlled by the same entity. Otherwise I definitely would  
use both. And, I am not a person that like doing what I call  
"inheriting" security from one layer in the protocol stack to another.

So yes, in some circumstances you can optimize, but in general most  
people have neither suspenders, nor belt... And I rather have both  
than none.


More information about the dns-operations mailing list