[dns-operations] TSIG was Re: OpenDNS adopts DNSCurve

Shumon Huque shuque at isc.upenn.edu
Fri Feb 26 04:02:56 UTC 2010

On Thu, Feb 25, 2010 at 10:48:25PM -0500, Edward Lewis wrote:
> >imiho, this issue has made tsig of extremely limited use, e.g. axfr
> >protection.
> And that extremely limited use is used quite extensively in operations.
> TSIG is one of those tools that doesn't scale well but there are 
> times when scale isn't the concern.  It has it's "moments."

There are some situations in which it can scale, eg. when used in
conjunction with an external key management infrastructure, like
Kerberos (GSS-TSIG, RFC 3645). Microsoft Windows deployments use
this to authenticate dynamic update requests from clients.

Even for a Kerberos using organization, I don't think GSS-TSIG
is a good general solution for securing stub<->resolver, since
Kerberos clients typically need to use DNS SRV records to locate 
the Kerberos servers in the first place, so there is a bootstrapping 

So I agree that SIG(0) seems to be the most palatable solution. Or
pushing validation to the stubs.

Shumon Huque
University of Pennsylvania.

More information about the dns-operations mailing list