wrote on 10/06/2004 06:59:09 AM:
> Hello everyone,
> I am exploring the possibilities TSIG offers; for the environment I work
> in TSIG seems fine, since it is easy to set up and offers a reasonable

> of security from employees doing zone transfers or hammering my machines
> with recursive queries.
> And since I am about to use TSIG as widely as possible, I would like to

> if there are any reasons not to use TSIG.
> I can think of just one: TSIG cannot be used to verify zone-content the

> can. Also, regular queries don't get covered by this.

I do not consider the fact that TSIG can't verify zone content a check in
the minus column. There are a great number of things that TSIG does not
do by design. Verifying zone content is one of them. Others are (in no
particular order):

Making coffee
Tying my shoes
Negotiate SSL connections

TSIG does a great job at what it is designed to do (imho).

However, if you are interested in interoperation in a Windows environment
for DDNS updates, you may want to look at this:

Specifically, skip to the seciton on "DNS Standards for Secure Dynamic



> But otherwise?
> (In case it matters, we currently have a test setup where TSIG is used

> "allow-transfer {}" and "allow-notify {}".)
> Benjamin Walkenhorst