Ted Lemon <mel...@fugue.com> wrote: > For dns updates, SIG(0) works fine. I have code you can steal that > works with mbedtls and ecdsa. Signing and validation. But I think TLS > client certs can also work. Proving the front end servers identity > sounds like the hard part.
Just to ask again clearly: 1a) is it possible to authorize an AXFR transfer by SIG(0)? 1b) is it possible to authorize an SOA query by SIG(0)? 2) is anyone doing AXFR over TLS (DPRIVE)? {3) is RFC3007 really the most recent text on dynamic DNS?} >> On Jun 8, 2019, at 6:32 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: >> >> >> Ted Lemon <mel...@fugue.com> wrote: >>>> Can we use TLS for authorization, assuming that we have trusted >>>> certificates >>>> at both ends? Perhaps this is more of a: did anyone implement this? >> >>> How is trust established? Sure, doing TSIG over TLS is no problem. >> >> Certificates are exchanged/created at manufacturing time (IDevID), and then >> optionally updated to LDevID. The certificate contains the name of the zone >> which the HNA is authoritative for (or a control record pins the >> certificate). >> >> TSIG requires a shared secret, thus a database of shared secrets available >> online. I don't want to do TSIG over TLS, I want to not do TSIG, or >> if I have to use TSIG for mechanical reasons, I want to derive the secret >> From the TLS. >> >> I need to authorize the following: >> 1) DNS update of some data (NS, DS, AAAA that NS points to) by >> Distribution Master (cloud/public system) >> 2) SOA query by Distribution Master by HNA. >> 3) AXFR by Distribution Master by HNA. >> >> -- >> Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works >> -= IPv6 IoT consulting =- -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet