[dns-operations] What would it take...

Mark Andrews marka at isc.org
Wed Mar 11 06:31:20 UTC 2015


In message <1FB3DB93-EB08-4864-9D3C-E48DA9FC5278 at redbarn.org>, P Vixie writes:
> Tsig won't scale for something like this. Please consider sig0.

I've got no objection to sig(0) but why won't it scale?  There is
a existing relationship so public key cyptography isn't needed.
Sig(0) would require the KEY record to be in the parent zone or to
be held by the registrar in a seperate database.  In the later case
you either need a database of KEY records or a database of TSIG
keys.  As far as I can tell there is no difference in the scaling
requirements.

Sig(0) might be marginally more secure as only one side holds
material than needs to be kept private.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list