Reverse DNS RFCs and Recommendations

• Previous message (by thread): Reverse DNS RFCs and Recommendations
• Next message (by thread): Reverse DNS RFCs and Recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <52743027.7050203 at necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Mark Andrews wrote:
> 
> >> It is a lot simpler and a lot more practical just to
> >> use shared secret between a CPE and a ISP's name server
> >> for TSIG generation.
> > 
> > No it isn't.  It requires a human to transfer the secret to the CPE
> > device or to register the secret with the ISP.
> 
> Not necessarily. When the CPE is configured through DHCP (or
> PPP?), the ISP can send the secret.

Which can be seen, in many cases, by other parties which is why I
discounted plain TSIG key exchanges over DHCP years ago regardless
of which side send the key material.

> > I'm talking about just building this into CPE devices and having it
> > just work with no human involvement.
> 
> See above.
> 
> Involving DNSSEC here is overkill and unnecessarily introduce
> vulnerabilities.

You do realise that you can use KEY records without DNSSEC.  The
KEY record is in the zone to be updated so it is implictly trusted.

> 						Masataka Ohta
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Reverse DNS RFCs and Recommendations
• Next message (by thread): Reverse DNS RFCs and Recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]