Reverse DNS RFCs and Recommendations
Masataka Ohta
mohta at necom830.hpcl.titech.ac.jp
Fri Nov 1 22:50:15 UTC 2013
Mark Andrews wrote:
>> It is a lot simpler and a lot more practical just to
>> use shared secret between a CPE and a ISP's name server
>> for TSIG generation.
>
> No it isn't. It requires a human to transfer the secret to the CPE
> device or to register the secret with the ISP.
Not necessarily. When the CPE is configured through DHCP (or
PPP?), the ISP can send the secret.
> I'm talking about just building this into CPE devices and having it
> just work with no human involvement.
See above.
Involving DNSSEC here is overkill and unnecessarily introduce
vulnerabilities.
Masataka Ohta
More information about the NANOG
mailing list