[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    [dns-operations] security-aware stub resolver
From:       patrik () frobbit ! se (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=)
Date:       2008-05-23 14:39:57
Message-ID: 1A8A3753-0C73-4030-938A-161A8E078281 () frobbit ! se
[Download RAW message or body]


On 23 maj 2008, at 16.14, Edward Lewis wrote:

> E.g., there's not much need for TSIG if you are already performing  
> zone updates over a VPN.

ONLY if it is the case that the VPN and the TSIG security enclosure  
are both controlled by the same entity. Otherwise I definitely would  
use both. And, I am not a person that like doing what I call  
"inheriting" security from one layer in the protocol stack to another.

So yes, in some circumstances you can optimize, but in general most  
people have neither suspenders, nor belt... And I rather have both  
than none.

    Patrik


[prev in list] [next in list] [prev in thread] [next in thread]