Shim6, was: Re: filtering /48 is going to be necessary
Mark Andrews
marka at isc.org
Tue Mar 13 03:12:29 UTC 2012
In message <CAMcDhonQqYuzD5CLLZMBKW1tjQ5H6qmLE9LLJo4Z_H4D3coQRw at mail.gmail.com>
, Josh Hoppes writes:
> Also consider the significant increased load on DNS servers to
> handling the constant stream of dynamic DNS updates to make this
> possible, and that you have to find some reliable trust mechanism to
> handle these updates because with out that you just made man in the
> middle attacks a just a little bit easier.
The DNS already supports cryptographically authenticated updates.
There is a good chance that your DHCP server used one of the methods
below when you got your lease.
SIG(0), TSIG and GSS_TSIG all scale appropiately for this.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list