[dns-operations] security-aware stub resolver
Patrik Fältström
patrik at frobbit.se
Fri May 23 14:39:57 UTC 2008
On 23 maj 2008, at 16.14, Edward Lewis wrote:
> E.g., there's not much need for TSIG if you are already performing
> zone updates over a VPN.
ONLY if it is the case that the VPN and the TSIG security enclosure
are both controlled by the same entity. Otherwise I definitely would
use both. And, I am not a person that like doing what I call
"inheriting" security from one layer in the protocol stack to another.
So yes, in some circumstances you can optimize, but in general most
people have neither suspenders, nor belt... And I rather have both
than none.
Patrik
More information about the dns-operations
mailing list