[deployment-guide/comm-rel: 432/727] Updated the Transaction SIGnatures (TSIG) section.

Jaromir Hradilek jhradile at fedoraproject.org
Tue Oct 19 13:01:09 UTC 2010 

commit 6a26709163d886c87cc0027ec0a3a43821545813
Author: Jaromir Hradilek <jhradile at redhat.com>
Date:   Thu Aug 19 11:24:46 2010 +0200

    Updated the Transaction SIGnatures (TSIG) section.

 en-US/The_BIND_DNS_Server.xml |   32 ++++++--------------------------
 1 files changed, 6 insertions(+), 26 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index f48e389..9cb2c1e 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -1937,44 +1937,24 @@ ns.icann.org.           12884   IN      A       192.0.34.126
       </para>
     </section>
     <section id="s2-bind-features-tsig">
-      <title>TSIG</title>
+      <title>Transaction SIGnatures (TSIG)</title>
       <indexterm>
         <primary>BIND</primary>
         <secondary>features</secondary>
-        <tertiary>TSIG</tertiary>
+        <tertiary>Transaction SIGnature (TSIG)</tertiary>
       </indexterm>
       <para>
-        Short for <firstterm>Transaction SIGnatures</firstterm>, this feature allows a transfer from master to slave only after verifying that a shared secret key exists on both nameservers.
+        <firstterm>Transaction SIGnatures</firstterm> (TSIG) ensure that a shared secret key exists on both primary and secondary nameserver before allowing a transfer. This strengthens the standard IP address-based method of transfer authorization, since attackers would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
       </para>
       <para>
-        This feature strengthens the standard IP address-based method of transfer authorization. An attacker would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
-      </para>
-      <para>
-        BIND version 9 also supports <firstterm>TKEY</firstterm>, which is another shared secret key method of authorizing zone transfers.
-      </para>
-      <para>
-        More information about TSIG is available in the <citetitle>BIND 9 Administrator Reference Manual</citetitle> referenced in <xref linkend="s2-bind-installed-docs"/>, in chapter called <command>Advanced DNS features</command>.
+        Since version 9, BIND also supports <firstterm>TKEY</firstterm>, which is another shared secret key method of authorizing zone transfers.
       </para>
       <important>
-        <title>Caution</title>
+        <title>Important: Secure the Transfer</title>
         <para>
-          Master and slave nameservers which communicates over insecure network should avoid IP address-based authentication. They should use TSIG-based authentication instead.
+          When communicating over an insecure network, do not rely on IP address-based authentication only.
         </para>
       </important>
-      <!-- RHEL5:   ddomingo at redhat.com: above <variablelist> replaces following <itemizedlist>:
-      <itemizedlist>
-        <listitem>
-          <para><emphasis>DNSSEC</emphasis> &mdash; Short for <firstterm>DNS SECurity</firstterm>, this feature allows for zones to be cryptographically signed with a <firstterm>zone key</firstterm>.</para>
-          <para>In this way, the information about a specific zone can be verified as coming from a nameserver that has signed it with a particular private key, as long as the recipient has that nameserver's public key.</para>
-          <para>BIND version 9 also supports the SIG(0) public/private key method of message authentication.</para>
-        </listitem>
-        <listitem>
-          <para><emphasis>TSIG</emphasis> &mdash; Short for <firstterm>Transaction SIGnatures</firstterm>, this feature allows a transfer from master to slave only after verifying that a shared secret key exists on both nameservers.</para>
-          <para>This feature strengthens the standard IP address-based method of transfer authorization. An attacker would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.</para>
-          <para>BIND version 9 also supports <firstterm>TKEY</firstterm>, which is another shared secret key method of authorizing zone transfers.</para>
-        </listitem>
-      </itemizedlist>
- -->
     </section>
     <section id="s2-bind-features-dnssec">
       <title>DNSSEC</title>

More information about the docs-commits mailing list