are there any plans to add TSIG to forward-zones (also ".") in Unbound?
I have a requirement for deploying Unbound on workstations to have
access to a number of "private" zones (currently served by BIND). Access
to the server is protected by TSIG keys.
I note TSIG support appears to be implemented in LDNS, so I'm asking
whether Unbound can add that functionality to provide something like
this:
are there any plans to add TSIG to forward-zones (also ".") in
Unbound?
There are no plans.
I have a requirement for deploying Unbound on workstations to have
access to a number of "private" zones (currently served by BIND).
Access to the server is protected by TSIG keys.
I note TSIG support appears to be implemented in LDNS, so I'm
asking whether Unbound can add that functionality to provide
something like this:
It is a well thought out idea. Would be an extensive implementation
because everyone will want 'full support' instead of only what you
need. And this is the feature-bloat in progress ...
There is in svn an option to secure transfers with SSL, and for
unbound to serve protected with SSL (this is for dnssec-trigger in
hotels, and currently experimental). But it encrypts that content (as
an aside, really, because it is meant to bypass DPI firewalls, it does
not even check the SSL key right now, which would be needed for
security in your case).
I am not really sure what would be the right solution here. Feature
creep versus usefulness... Signing answers from cache with TSIG keys
would impact the performance for people that do not use TSIG.
