Re: [homenet] [EXT] securing zone transfer

Wed, 12 Jun 2019 05:36:07 -0700 

Thanks for the feedback.
> first, the gateway does not know for sure which external NS are use by the secondary DNS service, 


Agreed. The draft needs to address how the service is boot-strapped and 
auto-configred.



> second the IPs of the WAN port might not be the internet facing IPs 
and this could break inbound connectivity



I hope that we're going to be able to move past IP filtering as the 
primary security mechanism for this draft.


Especially in the presence of renumbering.

regards,

Jacques Latour wrote on 11/06/2019 20:59:


Daniel,


In trying to setup our secure home gateway project to have the 
external zone & primary DNS server setup and managed on the gateway 
itself and to XFR back to secondary name servers somewhere turned out 
not be functional or practical, first, the gateway does not know for 
sure which external NS are use by the secondary DNS service, second, 
the IPs of the WAN port might not be the internet facing IPs and this 
could break inbound connectivity.  We’re looking at using dynamic DNS 
updates for things that need internet connectivity, and have the 
primary DNS server on the main land.   TSIG & DNS over TLS look like a 
good option to look at.


Jacques

*From:*homenet <[email protected]> *On Behalf Of *Daniel Migault
*Sent:* June 7, 2019 4:03 PM
*To:* homenet <[email protected]>
*Subject:* [EXT] [homenet] securing zone transfer

Hi,


The front end naming architecture uses a primary and a secondary dns 
server to synchronize a zone. The expected exchanges are (SOA, NOTIFY, 
IXFR, AXFR. We would like to get feed backs from the working group on 
what are the most appropriated way to secure this channel.



Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not 
provide confidentiality, and we would rather go for user space 
security.  Are there any recommendation for using TLS or DTLS in that 
case ?


Any thoughts would be helpful.

Yours,

Daniel



_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet


--
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>

_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet























					Reply via email to