Reverse DNS RFCs and Recommendations

Masataka Ohta mohta at
Wed Nov 6 07:55:13 UTC 2013

Mark Andrews wrote:

>> You misunderstand very basic points on why forward and reverse
>> DNS checking is useful.
>> If an attacker can snoop DHCP reply packet to a victim's CPE, the
>> attacker can snoop any packet to a victim's server, which is
>> already bad.
> The DHCP reply packet is special as is is broadcasted.


Rfc3315 is explicit on it:

   18.2.8. Transmission of Reply Messages

   The Reply message MUST be unicast
   through the interface on which the original message was received.

>> That is, Mark's security model is broken only to introduce
>> obscurity with worse security.
> This is a about adding a delegation into the DNS securely so only
> the machine that the prefix is delegated to and the ISP can update
> it.  There are a number of reasons to want to do this securely from
> both the ISP side and the customer side regardless of whether you
> secure the DNS responses themselves.

And carrying TSIG key in DHCP reply is just secure from the both sides.

						Masataka Ohta

More information about the NANOG mailing list