Hi, I have a working hidden (super)master / slave arrangement where the slaves learn about their zones from the supermaster and axfr. This works as expected. I was thinking however that it might be an extra bit of hardening if I could protect certain things, such as zone transfers and slave SOA checks, with a vpn. I know that tsig will protect zone transfers, but for confidentiallity across untrusted networks the vpn would be perfect. Also, SOA checks themselves have no confidentiallity or integrity, so spoofed UDP can be injected here too. Maybe not the biggest fire, but just thinking what can be done here....
Ideally, what I'd want is for the hidden master and the slaves all to have a vpn between them, with the master and slaves having a shared private internal ip address range between them. This is easy to do with OpenVPN. The missing part seems to be the ability to explicitly state which source ip the master will use to notify the slaves. May it's a different source IP per slave, in some setups. It would further be nice to tell the server to not even bother sending notifies to the NS records of the zone and instead using only an explicit notify list, also possibly per zone. I have tried various games with with routing, nat, fwmarks, and so forth, and I can bludgeon things into mostly - but not entirely - working. Lot of work for something that could more or less be automatic and with a lot less configuration if we just had additional config controls to set the above properties. Just my random thoughts. Powerdns is awesome.. Mike- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
