[Unbound-users] TSIG for forward-zones?
wouter at NLnetLabs.nl
Mon Dec 12 11:14:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 11/22/2011 03:22 PM, Jan-Piet Mens wrote:
> are there any plans to add TSIG to forward-zones (also ".") in
There are no plans.
> I have a requirement for deploying Unbound on workstations to have
> access to a number of "private" zones (currently served by BIND).
> Access to the server is protected by TSIG keys.
> I note TSIG support appears to be implemented in LDNS, so I'm
> asking whether Unbound can add that functionality to provide
> something like this:
> key: name: "jp-key" algorithm: hmac-md5 secret:
> forward-zone: name: "example.com" key: "jp-key" forward-addr:
> (Syntax for key swiped from NSD :)
It is a well thought out idea. Would be an extensive implementation
because everyone will want 'full support' instead of only what you
need. And this is the feature-bloat in progress ...
There is in svn an option to secure transfers with SSL, and for
unbound to serve protected with SSL (this is for dnssec-trigger in
hotels, and currently experimental). But it encrypts that content (as
an aside, really, because it is meant to bypass DPI firewalls, it does
not even check the SSL key right now, which would be needed for
security in your case).
I am not really sure what would be the right solution here. Feature
creep versus usefulness... Signing answers from cache with TSIG keys
would impact the performance for people that do not use TSIG.
> -JP _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users