[151175] in North American Network Operators' Group
Re: Shim6, was: Re: filtering /48 is going to be necessary
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Mar 12 23:13:44 2012
To: Josh Hoppes <josh.hoppes@gmail.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 12 Mar 2012 21:42:02 CDT."
<CAMcDhonQqYuzD5CLLZMBKW1tjQ5H6qmLE9LLJo4Z_H4D3coQRw@mail.gmail.com>
Date: Tue, 13 Mar 2012 14:12:29 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <CAMcDhonQqYuzD5CLLZMBKW1tjQ5H6qmLE9LLJo4Z_H4D3coQRw@mail.gmail.com>
, Josh Hoppes writes:
> Also consider the significant increased load on DNS servers to
> handling the constant stream of dynamic DNS updates to make this
> possible, and that you have to find some reliable trust mechanism to
> handle these updates because with out that you just made man in the
> middle attacks a just a little bit easier.
The DNS already supports cryptographically authenticated updates.
There is a good chance that your DHCP server used one of the methods
below when you got your lease.
SIG(0), TSIG and GSS_TSIG all scale appropiately for this.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
