Hi Zdeněk, PowerDNS's supermaster/superslave functionality is only based on IP-address security. Securing that with TSIG is a good idea, but it is not in PowerDNS.
You can submit feature requests on http://wiki.powerdns.com/trac The username/password is on the front page. Kind regards, Ruben On Thu, Jan 03, 2013 at 03:45:17PM -0000, Zdeněk Bělehrádek wrote: > Hi, > > our company runs two authoritative DNS servers, currently we use > BIND. Some time ago we found about PowerDNS and exploring it's > benefits, like simpler administration of zones and easy to use > DNSSEC. > > Some our customers use one of our servers as backup of their own > DNS. We would like to configure our own server as superslave so we > won't have tediously add all the new domains they add. > > I don't like the idea sending AXFR data totally unsecured. PowerDNS > checks IP address, but I don't consider it safe enough. Today, we > sign all the transfers with TSIG. From what I read in the manual, > you have to assign TSIG key to zone before you can use it. > Superslave don't know anything about zones - it's point is create > zone when notified. > > We considered using IPSec, but it is definitely not simple to > manage. I read something abou Lua, but I am trying to avoid Lua > scripting because don't have any experience with it. > > Is there any way to sign superslave notifications, or at least > following transfers, so attacker won't be able to send his own zones > to our servers? Ideally the ones that use only PowerDNS and backing > database. > > With Regards, > Zdeněk Bělehrádek > > -- > mysql> SELECT * FROM date WHERE d IS NULL AND d IS NOT NULL; > +---------------------+ > | d | > +---------------------+ > | 0000-00-00 00:00:00 | > +---------------------+ > 1 row in set (0.00 sec) > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
