nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reverse DNS RFCs and Recommendations

From: Mark Andrews <marka () isc org>
Date: Sat, 02 Nov 2013 11:20:35 +1100

In message <52743027.7050203 () necom830 hpcl titech ac jp>, Masataka Ohta writes:

Mark Andrews wrote:


It is a lot simpler and a lot more practical just to
use shared secret between a CPE and a ISP's name server
for TSIG generation.


No it isn't.  It requires a human to transfer the secret to the CPE
device or to register the secret with the ISP.


Not necessarily. When the CPE is configured through DHCP (or
PPP?), the ISP can send the secret.


Which can be seen, in many cases, by other parties which is why I
discounted plain TSIG key exchanges over DHCP years ago regardless
of which side send the key material.


I'm talking about just building this into CPE devices and having it
just work with no human involvement.


See above.

Involving DNSSEC here is overkill and unnecessarily introduce
vulnerabilities.


You do realise that you can use KEY records without DNSSEC.  The
KEY record is in the zone to be updated so it is implictly trusted.


                                              Masataka Ohta

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: