From owner-freebsd-security  Thu Apr  8 17:31: 1 1999
Delivered-To: freebsd-security@freebsd.org
Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.143.240.7])
	by hub.freebsd.org (Postfix) with ESMTP id 01CB114E57
	for <freebsd-security@freebsd.org>; Thu,  8 Apr 1999 17:30:56 -0700 (PDT)
	(envelope-from bc@thehub.com.au)
Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au)
	by zerlargal.humbug.org.au with smtp (Exim 2.05 #3)
	id 10VP7o-0001pl-00; Fri, 9 Apr 1999 10:26:24 +1000
Date: Fri, 9 Apr 1999 10:26:24 +1000 (EST)
From: Bruce Campbell <bc@thehub.com.au>
X-Sender: bc@zerlargal.humbug.org.au
To: Mark Newton <newton@atdot.dotat.org>
Cc: Grant Beckerleg <grant@vbc.net>, freebsd-security@FreeBSD.ORG
Subject: Re: ssh and scp
In-Reply-To: <199904080936.TAA11475@atdot.dotat.org>
Message-ID: <Pine.BSF.3.96.990409100127.23278B-100000@zerlargal.humbug.org.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 8 Apr 1999, Mark Newton wrote:

> Grant Beckerleg wrote:
> 
>  >                        I am very new to FreeBSD and I have been asked
>  > to investigate some security issues. I am not sure if this is FreeBSD
>  > specific or a general OS question so please bear with me.
>  > I use ssh to securely login to remote machines and I am looking into
>  > secure transfer of DNS database records between nameservers.
> 
> Maybe I'm missing something, but isn't that what zone transfers
> are for?

Yes and no.  Sure, if you've got a clear path between the two machines,
zone transfers, using BIND 8* features to tell the other nominated
nameservers when a change of a zone occurs, it works.

If you operate a vaguely more secure network, or you are just paranoid
about equipment failures, your master zone files are maintained behind a
firewall, and then ssh (rsync specifically)'d out to your external
nameserver.

Works for me, although I'll admit to being a bit shy of null-password RSA
keys, which can be alleviated somewhat by restricting which hosts can use
which keys.

--==--
Bruce.

host -t txt rcs.203.in-addr.arpa



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message