Ted Lemon <mel...@fugue.com> wrote:
> For dns updates, SIG(0) works fine. I have code you can steal that
> works with mbedtls and ecdsa. Signing and validation. But I think TLS
> client certs can also work. Proving the front end servers identity
> sounds like the hard part.
Just to ask again clearly:
1a) is it possible to authorize an AXFR transfer by SIG(0)?
1b) is it possible to authorize an SOA query by SIG(0)?
2) is anyone doing AXFR over TLS (DPRIVE)?
{3) is RFC3007 really the most recent text on dynamic DNS?}
>> On Jun 8, 2019, at 6:32 PM, Michael Richardson <mcr+i...@sandelman.ca>
wrote:
>>
>>
>> Ted Lemon <mel...@fugue.com> wrote:
>>>> Can we use TLS for authorization, assuming that we have trusted
>>>> certificates
>>>> at both ends? Perhaps this is more of a: did anyone implement this?
>>
>>> How is trust established? Sure, doing TSIG over TLS is no problem.
>>
>> Certificates are exchanged/created at manufacturing time (IDevID), and
then
>> optionally updated to LDevID. The certificate contains the name of the
zone
>> which the HNA is authoritative for (or a control record pins the
>> certificate).
>>
>> TSIG requires a shared secret, thus a database of shared secrets
available
>> online. I don't want to do TSIG over TLS, I want to not do TSIG, or
>> if I have to use TSIG for mechanical reasons, I want to derive the secret
>> From the TLS.
>>
>> I need to authorize the following:
>> 1) DNS update of some data (NS, DS, AAAA that NS points to) by
>> Distribution Master (cloud/public system)
>> 2) SOA query by Distribution Master by HNA.
>> 3) AXFR by Distribution Master by HNA.
>>
>> --
>> Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
>> -= IPv6 IoT consulting =-
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
