[dns-operations] OpenDNS adopts DNSCurve
Randy Bush
randy at psg.com
Fri Feb 26 02:06:39 UTC 2010
> There are actually more important concerns with TSIG. Even if DHCP
> could be secured (in theory there is an RFC but that's a topic of
> another prolonged discussion), TSIG is a symmetric key. To be secure
> you'd need to distribute 1 TSIG key per stub resolver. Otherwise
> you've given each stub the ability to forge responses from the
> recursive resolver to every other stub configured with that same
> key. Do we really want to manage gazillions of TSIG keys on the
> recursive resolver?
imiho, this issue has made tsig of extremely limited use, e.g. axfr
protection.
randy
More information about the dns-operations
mailing list