[dns-operations] What would it take...
Mark Andrews
marka at isc.org
Wed Mar 11 06:31:20 UTC 2015
In message <1FB3DB93-EB08-4864-9D3C-E48DA9FC5278 at redbarn.org>, P Vixie writes:
> Tsig won't scale for something like this. Please consider sig0.
I've got no objection to sig(0) but why won't it scale? There is
a existing relationship so public key cyptography isn't needed.
Sig(0) would require the KEY record to be in the parent zone or to
be held by the registrar in a seperate database. In the later case
you either need a database of KEY records or a database of TSIG
keys. As far as I can tell there is no difference in the scaling
requirements.
Sig(0) might be marginally more secure as only one side holds
material than needs to be kept private.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list