Shim6, was: Re: filtering /48 is going to be necessary

Mark Andrews marka at isc.org
Mon Mar 12 22:12:29 CDT 2012


In message <CAMcDhonQqYuzD5CLLZMBKW1tjQ5H6qmLE9LLJo4Z_H4D3coQRw at mail.gmail.com>
, Josh Hoppes writes:
> Also consider the significant increased load on DNS servers to
> handling the constant stream of dynamic DNS updates to make this
> possible, and that you have to find some reliable trust mechanism to
> handle these updates because with out that you just made man in the
> middle attacks a just a little bit easier.

The DNS already supports cryptographically authenticated updates.
There is a good chance that your DHCP server used one of the methods
below when you got your lease.

SIG(0), TSIG and GSS_TSIG all scale appropiately for this.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list