Daniel, In trying to setup our secure home gateway project to have the external zone & primary DNS server setup and managed on the gateway itself and to XFR back to secondary name servers somewhere turned out not be functional or practical, first, the gateway does not know for sure which external NS are use by the secondary DNS service, second, the IPs of the WAN port might not be the internet facing IPs and this could break inbound connectivity. We’re looking at using dynamic DNS updates for things that need internet connectivity, and have the primary DNS server on the main land. TSIG & DNS over TLS look like a good option to look at.
Jacques From: homenet <[email protected]> On Behalf Of Daniel Migault Sent: June 7, 2019 4:03 PM To: homenet <[email protected]> Subject: [EXT] [homenet] securing zone transfer Hi, The front end naming architecture uses a primary and a secondary dns server to synchronize a zone. The expected exchanges are (SOA, NOTIFY, IXFR, AXFR. We would like to get feed backs from the working group on what are the most appropriated way to secure this channel. Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not provide confidentiality, and we would rather go for user space security. Are there any recommendation for using TLS or DTLS in that case ? Any thoughts would be helpful. Yours, Daniel
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
