> 主题: Re: [DNSOP] dns data exchanged between host and local dns-sever > > RFC 2845 - Secret Key Transaction Authentication for DNS (TSIG) > > This protocol allows for transaction level authentication using shared > secrets and one way hashing. It can be used to authenticate dynamic > updates as coming from an approved client, or to authenticate > responses as coming from an approved recursive name server. Does anybody know if this is implemented by an stub resolver? As far as I know TSIG is currently used only for DDNS (Host to ANS or DHCP server to ANS) or to authenticate queries between name servers (ANS or RNS). > > or > > RFC 3645 - Generic Security Service Algorithm for Secret Key > Transaction Authentication for DNS (GSS-TSIG) > > The Secret Key Transaction Authentication for DNS (TSIG) protocol > provides transaction level authentication for DNS. TSIG is extensible > through the definition of new algorithms. This document specifies an > algorithm based on the Generic Security Service Application Program > Interface (GSS-API) (RFC2743). This document updates RFC 2845. Same as above. I guess that this is implemented only for dynamic updates not to authenticate responses coming from a recursive name server.
Even BIND as a (local) forwarding name server is not able to use GSS-TSIG to protect the communication with the recursive name server. Please correct me if I'm wrong. I'm looking for a TSIG aware stub-resolver for years. Holger
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
