It can provide that as well if you configure your DNS server with a list of authorized IP addresses for certain zones. In other words, you let your DNS server know from which IP addresses it can accept updates for a particular zone. In this case, CGA-TSIG can be helpful,as well, as it can provide the proof of address ownership for the node so that DNS servers will only accept updates from the ones whom it is sure are the owner of that IP address. This is also possible after the node chaning its IP address. Then this process is automatic and no need for any further manual configurations.
Thanks, Best, Hosnieh > On August 28, 2013 at 3:49 AM Guangqing Deng <[email protected]> wrote: > > Cga-tsig approach can make sure that the content transferred between > resolvers and DNS servers is not maliciously modified by others; while this > approach cannot prevent the Resource Record (RR) from being wrongly updated by > the registrar (namely man-made mistakes). Then it seems that one kind of RR > checking tool (especially for NS RR) is needed by the registrar, and I am > wondering that have there been any such tools available yet? >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
