nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reverse DNS RFCs and Recommendations

From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Sat, 02 Nov 2013 10:47:48 +0900
Mark Andrews wrote:


It is a lot simpler and a lot more practical just to
use shared secret between a CPE and a ISP's name server
for TSIG generation.


No it isn't.  It requires a human to transfer the secret to the CPE
device or to register the secret with the ISP.


Not necessarily. When the CPE is configured through DHCP (or
PPP?), the ISP can send the secret.


Which can be seen, in many cases, by other parties


Who can see the packets sent from the local ISP to the CPE
directly connected to the ISP?

If you mind wire tapping, you have other things to worry
about, which needs your access line encrypted (by a manually
configured password), which makes DHCP packets invisible.

                                        Masataka Ohta
Previous By Date Next
Previous By Thread Next

Current thread: