Reverse DNS RFCs and Recommendations
marka at isc.org
Fri Nov 1 21:54:23 UTC 2013
In message <5273525C.5060908 at necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Mark Andrews wrote:
> > That said it is possible to completely automate the secure assignment
> > of PTR records. It is also possible to completely automate the
> > secure delegation of the reverse name space. See
> > http://tools.ietf.org/html/draft-andrews-dnsop-pd-reverse-00
> It is a lot simpler and a lot more practical just to
> use shared secret between a CPE and a ISP's name server
> for TSIG generation.
No it isn't. It requires a human to transfer the secret to the CPE
device or to register the secret with the ISP.
I'm talking about just building this into CPE devices and having it
just work with no human involvement.
> As the secret can be directly shared end to end, it is more
> secure than DNSSEC involving untrustworthy third parties.
> Masataka Ohta
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG