Hi Jacques, I agree the HNA cannot generate the full zone out of the box and needs some information such as the NS. It also needs some information to configure the primary / secondary relation such as the the IP of what we now call the Distribution Master. DNS update on a specific zone seems tempting especially as it is available code for it. Though I might be biased, but i am not sure we need TSIG. I need more thoughts.
Yours, Daniel On Tue, Jun 11, 2019 at 3:00 PM Jacques Latour <[email protected]> wrote: > Daniel, > > > > In trying to setup our secure home gateway project to have the external > zone & primary DNS server setup and managed on the gateway itself and to > XFR back to secondary name servers somewhere turned out not be functional > or practical, first, the gateway does not know for sure which external NS > are use by the secondary DNS service, second, the IPs of the WAN port might > not be the internet facing IPs and this could break inbound connectivity. > We’re looking at using dynamic DNS updates for things that need internet > connectivity, and have the primary DNS server on the main land. TSIG & > DNS over TLS look like a good option to look at. > > > > Jacques > > > > > > > > *From:* homenet <[email protected]> *On Behalf Of *Daniel Migault > *Sent:* June 7, 2019 4:03 PM > *To:* homenet <[email protected]> > *Subject:* [EXT] [homenet] securing zone transfer > > > > Hi, > > > > The front end naming architecture uses a primary and a secondary dns > server to synchronize a zone. The expected exchanges are (SOA, NOTIFY, > IXFR, AXFR. We would like to get feed backs from the working group on what > are the most appropriated way to secure this channel. > > > > Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not > provide confidentiality, and we would rather go for user space security. > Are there any recommendation for using TLS or DTLS in that case ? > > > > Any thoughts would be helpful. > > > > Yours, > > Daniel > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet >
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
