Maintained by: NLnet Labs

[Unbound-users] TSIG for forward-zones?

W.C.A. Wijngaards
Mon Dec 12 12:14:18 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jan-Piet,

On 11/22/2011 03:22 PM, Jan-Piet Mens wrote:
> Hello,
> 
> are there any plans to add TSIG to forward-zones (also ".") in
> Unbound?

There are no plans.

> I have a requirement for deploying Unbound on workstations to have 
> access to a number of "private" zones (currently served by BIND).
> Access to the server is protected by TSIG keys.
> 
> I note TSIG support appears to be implemented in LDNS, so I'm
> asking whether Unbound can add that functionality to provide
> something like this:
> 
> key: name: "jp-key" algorithm: hmac-md5 secret:
> "dRNZ....42y8+Lt1j46tA1w=="
> 
> forward-zone: name: "example.com" key: "jp-key" forward-addr:
> 192.0.2.68
> 
> (Syntax for key swiped from NSD :)

It is a well thought out idea.  Would be an extensive implementation
because everyone will want 'full support' instead of only what you
need.  And this is the feature-bloat in progress ...

There is in svn an option to secure transfers with SSL, and for
unbound to serve protected with SSL (this is for dnssec-trigger in
hotels, and currently experimental).  But it encrypts that content (as
an aside, really, because it is meant to bypass DPI firewalls, it does
not even check the SSL key right now, which would be needed for
security in your case).

I am not really sure what would be the right solution here.  Feature
creep versus usefulness...  Signing answers from cache with TSIG keys
would impact the performance for people that do not use TSIG.

Best regards,
   Wouter

> Regards,
> 
> -JP _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO5eIKAAoJEJ9vHC1+BF+N8R0P/2H5P8RsOF8BNukdkK6ZlHt0
pry3AhvAfOZnPnJEs8jX0G3xDPel6//Hy3owAOEectU0m7AvvlRs7aXZHmbaF3Sl
EzfYhuxeLPetmvYKKxgk2P5O2ISO6ZduUo15RMHeDNhl8DoXdcspP9IsyuZGovws
qeFqLhSHDoogyCaaSIjmTDptYrSllcdLQCpL3lTzot6WlSiBdtdYtLZRSPiv9Hys
Ck9AS9OLLMzrDYmpq7SWZIvKzAX/UZMllFsFqav2YW53RrcuCsnzPL2NixrbHw0f
SKKakvSPidbT4yqzVE2o2CIhCtlUFHrocCjwJfZUtCEN50mKo875EMszDTwuY/Pz
x2NcNFoW99/lZXjNxOaEQYQ54CV5vfoeTfO3fejooaF62gKeoqli9QRFWhik8HGd
p7zrVYfPG2kC9Yk0Pmr2ceIzGv/n1Qd1RCBXRTGMWUuBRvpwRAmBNjJqEFu4Un6b
tOAVukVQq7dKKEPXWx3QY0YnaPN6Asx6bE+LJg7ul8cGnIjWqFyKKrvqdAo1cvrh
4l6PhYYczA7TH9LnR5ikZn0qKC43eGjn7CPQ8nQKvvPxfDVU/ekCXvuRvuoOFRnW
UvnUpo2sJvd8M/aThtJKhwMocVo6dDpBTMff/9S1VYwVdGu5t06KVKNS/m4Cn8fe
IICdHm5P0I6q42rCsRu/
=SQbK
-----END PGP SIGNATURE-----