Hello Mohamed, On Oct 21, 2011, at 10:31 , Mohamed Lrhazi wrote:
> Could some explain a bit more what the risks are, that this warning is > referring to: > > http://doc.powerdns.com/tsig-outbound-notify-axfr.html > > Warning > PowerDNS for now only verifies the TSIG signature on the first AXFR > 'message', which helps for access control, but does not provide 100.0% > protection of subsequent AXFR zone content messages. > > Is this saying that one would not be protected from content > modification/injection with this feature enabled? > > If so, what would be my options to secure slave/master communication, > with pdns acting as slave? I have checked the relevant code, and the answer is: yes, one would not be protected from content modification/injection. An attacker that can modify TCP-streams between master and slave can inject records. Options to secure master/slave communication include: - making sure the transfer happens over some kind of VPN (OpenSSH, IPSEC) - using MySQL-replication (with SSL!) instead of AXFR Kind regards, Peter van Dijk _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
