Re: Do I need TSIG for zone transfer on an intranet env? - DNS

This is a discussion on Re: Do I need TSIG for zone transfer on an intranet env? - DNS ; April wrote: > is it too much? ACL should do the job? > Perhaps you should ask such questions of your Chief Security Officer, or on a security-related list. Is source-address-based security sufficient on an intranet? How much security is ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Do I need TSIG for zone transfer on an intranet env?

  1. Re: Do I need TSIG for zone transfer on an intranet env?

    April wrote:
    > is it too much? ACL should do the job?
    >

    Perhaps you should ask such questions of your Chief Security Officer, or
    on a security-related list. Is source-address-based security sufficient
    on an intranet? How much security is enough security, and where does it
    cross the line into overkill?


    - Kevin



  2. Re: Do I need TSIG for zone transfer on an intranet env?

    On Wed, Jun 28, 2006 at 06:15:31PM -0700, April wrote:
    >
    > that's true .. however how many people in Securiy really know DNS? ;-)
    >
    > What I should ask probably is in general, should ACL or TSIG be
    > implemented in an intranet env?


    I do. It helps me check off a box that someone comes to ask me about
    every once in a while, and it is virtually no trouble at all.

    The trouble comes when you need to schedule regular key updates, and
    figuring out how to do that if you don't have remote 'ssh' access
    yourself.

    --
    Joe Yao
    -----------------------------------------------------------------------
    This message is not an official statement of OSIS Center policies.



  3. Re: Do I need TSIG for zone transfer on an intranet env?


    Sounds like you are the person also working on DNS, which is quite
    different from the Security people working in a large enterprise.

    However, if you implement TSIG, then you may have to come back using
    ACL to allow Windows DNS for zone transfer. My understanding is that
    Windows DNS will not support TSIG to do zone transfer from BIND?

    Joseph S D Yao wrote:
    > On Wed, Jun 28, 2006 at 06:15:31PM -0700, April wrote:
    > >
    > > that's true .. however how many people in Securiy really know DNS? ;-)
    > >
    > > What I should ask probably is in general, should ACL or TSIG be
    > > implemented in an intranet env?

    >
    > I do. It helps me check off a box that someone comes to ask me about
    > every once in a while, and it is virtually no trouble at all.
    >
    > The trouble comes when you need to schedule regular key updates, and
    > figuring out how to do that if you don't have remote 'ssh' access
    > yourself.
    >
    > --
    > Joe Yao
    > -----------------------------------------------------------------------
    > This message is not an official statement of OSIS Center policies.




+ Reply to Thread