bind-users-bounce@isc.org wrote on 10/06/2004 06:59:09 AM:
> Hello everyone,
>
> I am exploring the possibilities TSIG offers; for the environment I work
> in TSIG seems fine, since it is easy to set up and offers a reasonable

degree
> of security from employees doing zone transfers or hammering my machines
> with recursive queries.
>
> And since I am about to use TSIG as widely as possible, I would like to

know
> if there are any reasons not to use TSIG.
>
> I can think of just one: TSIG cannot be used to verify zone-content the

way DNSSEC
> can. Also, regular queries don't get covered by this.


I do not consider the fact that TSIG can't verify zone content a check in
the minus column. There are a great number of things that TSIG does not
do by design. Verifying zone content is one of them. Others are (in no
particular order):

Making coffee
Tying my shoes
Negotiate SSL connections
etc...


TSIG does a great job at what it is designed to do (imho).

However, if you are interested in interoperation in a Windows environment
for DDNS updates, you may want to look at this:

http://www.microsoft.com/windows2000...f_imp_eqjg.asp

Specifically, skip to the seciton on "DNS Standards for Secure Dynamic
Update".


hth,


Dave...


>
> But otherwise?
> (In case it matters, we currently have a test setup where TSIG is used

for
> "allow-transfer {}" and "allow-notify {}".)
>
> Benjamin Walkenhorst
>