[nsd-users] NSD 4.3.7 released
A. Schulze
sca at andreasschulze.de
Sat Jul 31 14:45:15 UTC 2021
Am 22.07.21 um 16:26 schrieb Wouter Wijngaards via nsd-users:
> For zone transfer TLS can be turned on by specifying the tls-auth-name
> in the request-xfr config option, like
> request-xfr: 192.0.2.1 NOKEY ns.example.com
> With the tls-cert-bundle option, in the server section, the list of
> certificates for authenticating the transfers over TLS can be configured.
Hello,
thanks for XoT in NSD. Now AXFR over TLS is possible. I ask myself if it makes sense
to enforce TLS for zone transfer. This would require support to actively
deny AXFR on non-tls connections.
I see these options:
1) simply deny plaintext
For this it would be enough, if the 'provide-xfr' statement would
understand a new directive like 'require-tls', 'disable-plaintext' or simply 'tls'
2) require mutual TLS
as an enhancement to 1) 'provide-xfr' could understand a new directive
'tls-auth'. The NSD requesting a AXFR via TLS must send it's own
TLS certificate. The NSD providing AXFR must check the certificate
against it's tls-cert-bundle.
3) for some installations only point-to-point connections are configured
In this case <ip-spec> in 'provide-xfr' is a plain IP address, not a subnet.
Then it could be possible to also check the client's auth-name.
does this make sense?
Andreas
More information about the nsd-users
mailing list