For dns updates, SIG(0) works fine. I have code you can steal that works with mbedtls and ecdsa. Signing and validation. But I think TLS client certs can also work. Proving the front end servers identity sounds like the hard part.
Sent from my iPhone > On Jun 8, 2019, at 6:32 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > > > Ted Lemon <mel...@fugue.com> wrote: >>> Can we use TLS for authorization, assuming that we have trusted >>> certificates >>> at both ends? Perhaps this is more of a: did anyone implement this? > >> How is trust established? Sure, doing TSIG over TLS is no problem. > > Certificates are exchanged/created at manufacturing time (IDevID), and then > optionally updated to LDevID. The certificate contains the name of the zone > which the HNA is authoritative for (or a control record pins the > certificate). > > TSIG requires a shared secret, thus a database of shared secrets available > online. I don't want to do TSIG over TLS, I want to not do TSIG, or > if I have to use TSIG for mechanical reasons, I want to derive the secret > From the TLS. > > I need to authorize the following: > 1) DNS update of some data (NS, DS, AAAA that NS points to) by > Distribution Master (cloud/public system) > 2) SOA query by Distribution Master by HNA. > 3) AXFR by Distribution Master by HNA. > > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet