Re: Question about TSIG, AD/AA, and AXFR
Robert Elz <kre@munnari.OZ.AU> Tue, 17 July 2001 13:23 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA03470 for <dnsext-archive@lists.ietf.org>; Tue, 17 Jul 2001 09:23:33 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15MU78-000FL1-00 for namedroppers-data@psg.com; Tue, 17 Jul 2001 05:38:10 -0700
Received: from h-135-207-10-122.research.att.com ([135.207.10.122] helo=roam.psg.com) by psg.com with esmtp (Exim 3.31 #1) id 15MU78-000FKv-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 05:38:10 -0700
Received: from randy by roam.psg.com with local (Exim 3.30 #1) id 15MU77-000IPM-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 08:38:09 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Robert Elz <kre@munnari.OZ.AU>
To: Edward Lewis <lewis@tislabs.com>
cc: namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <E15MI1g-000IVw-00@psg.com>
References: <E15MI1g-000IVw-00@psg.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MU78-000FL1-00@psg.com>
Date: Tue, 17 Jul 2001 05:38:10 -0700
Content-Transfer-Encoding: 7bit
Date: Mon, 16 Jul 2001 16:43:44 -0700
From: Edward Lewis <lewis@tislabs.com>
Message-ID: <E15MI1g-000IVw-00@psg.com>
| I am wondering if there is an unreported protocol problem in the
| combination of TSIG, AD/AA, and AXFR.
This isn't protocol problem, it is operational. Using just the protocol
you have no way to determine the source of the data for AXFR at all, only
that it exists, and is being made available to you (and then the rules for
making sense of it all of course).
If you don't trust the server you're configured to obtain the data from to
send you accurate data, then you should be getting it from elsewhere.
All TSIG helps you do is rest assured that the data has truly been sent
to you from the server you configured to send it.
For anything more than this (knowing that the data is the correct data)
you really need to be using dnssec, and verifying all those signatures.
| DNS Security is supposed to be about protecting the resolver,
But that's not what TSIG is about, I don't think (except when it is being
used to enable secure communications between a stub resolver and a back
end resolver/cache).
TSIG is just the cheap mechanism to get data that is secured via some other
means to a node that doesn't want to implement the full security model.
If the data wasn't already known to be secure, there's nothing TSIG can
possibly do to assist.
kre
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
- Re: Question about TSIG, AD/AA, and AXFR Brian Wellington
- Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
- Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Robert Elz
- Re: Question about TSIG, AD/AA, and AXFR Roy Arends
- Re: Question about TSIG, AD/AA, and AXFR Roy Arends