[nsd-users] NSD 4.3.7 released

A. Schulze sca at andreasschulze.de
Sat Jul 31 14:45:15 UTC 2021

Am 22.07.21 um 16:26 schrieb Wouter Wijngaards via nsd-users:

> For zone transfer TLS can be turned on by specifying the tls-auth-name
> in the request-xfr config option, like
> request-xfr: NOKEY ns.example.com
> With the tls-cert-bundle option, in the server section, the list of
> certificates for authenticating the transfers over TLS can be configured.


thanks for XoT in NSD. Now AXFR over TLS is possible. I ask myself if it makes sense
to enforce TLS for zone transfer. This would require support to actively
deny AXFR on non-tls connections.

I see these options:

1) simply deny plaintext
   For this it would be enough, if the 'provide-xfr' statement would
   understand a new directive like 'require-tls', 'disable-plaintext' or simply 'tls'

2) require mutual TLS
   as an enhancement to 1) 'provide-xfr' could understand a new directive
   'tls-auth'. The NSD requesting a AXFR via TLS must send it's own
   TLS certificate. The NSD providing AXFR must check the certificate
   against it's tls-cert-bundle.

3) for some installations only point-to-point connections are configured
   In this case <ip-spec> in 'provide-xfr' is a plain IP address, not a subnet.
   Then it could be possible to also check the client's auth-name.

does this make sense?


More information about the nsd-users mailing list