-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan-Piet,
On 11/22/2011 03:22 PM, Jan-Piet Mens wrote: > Hello, > > are there any plans to add TSIG to forward-zones (also ".") in > Unbound? There are no plans. > I have a requirement for deploying Unbound on workstations to have > access to a number of "private" zones (currently served by BIND). > Access to the server is protected by TSIG keys. > > I note TSIG support appears to be implemented in LDNS, so I'm > asking whether Unbound can add that functionality to provide > something like this: > > key: name: "jp-key" algorithm: hmac-md5 secret: > "dRNZ....42y8+Lt1j46tA1w==" > > forward-zone: name: "example.com" key: "jp-key" forward-addr: > 192.0.2.68 > > (Syntax for key swiped from NSD :) It is a well thought out idea. Would be an extensive implementation because everyone will want 'full support' instead of only what you need. And this is the feature-bloat in progress ... There is in svn an option to secure transfers with SSL, and for unbound to serve protected with SSL (this is for dnssec-trigger in hotels, and currently experimental). But it encrypts that content (as an aside, really, because it is meant to bypass DPI firewalls, it does not even check the SSL key right now, which would be needed for security in your case). I am not really sure what would be the right solution here. Feature creep versus usefulness... Signing answers from cache with TSIG keys would impact the performance for people that do not use TSIG. Best regards, Wouter > Regards, > > -JP _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJO5eIKAAoJEJ9vHC1+BF+N8R0P/2H5P8RsOF8BNukdkK6ZlHt0 pry3AhvAfOZnPnJEs8jX0G3xDPel6//Hy3owAOEectU0m7AvvlRs7aXZHmbaF3Sl EzfYhuxeLPetmvYKKxgk2P5O2ISO6ZduUo15RMHeDNhl8DoXdcspP9IsyuZGovws qeFqLhSHDoogyCaaSIjmTDptYrSllcdLQCpL3lTzot6WlSiBdtdYtLZRSPiv9Hys Ck9AS9OLLMzrDYmpq7SWZIvKzAX/UZMllFsFqav2YW53RrcuCsnzPL2NixrbHw0f SKKakvSPidbT4yqzVE2o2CIhCtlUFHrocCjwJfZUtCEN50mKo875EMszDTwuY/Pz x2NcNFoW99/lZXjNxOaEQYQ54CV5vfoeTfO3fejooaF62gKeoqli9QRFWhik8HGd p7zrVYfPG2kC9Yk0Pmr2ceIzGv/n1Qd1RCBXRTGMWUuBRvpwRAmBNjJqEFu4Un6b tOAVukVQq7dKKEPXWx3QY0YnaPN6Asx6bE+LJg7ul8cGnIjWqFyKKrvqdAo1cvrh 4l6PhYYczA7TH9LnR5ikZn0qKC43eGjn7CPQ8nQKvvPxfDVU/ekCXvuRvuoOFRnW UvnUpo2sJvd8M/aThtJKhwMocVo6dDpBTMff/9S1VYwVdGu5t06KVKNS/m4Cn8fe IICdHm5P0I6q42rCsRu/ =SQbK -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
