[166620] in North American Network Operators' Group
Re: Reverse DNS RFCs and Recommendations
daemon@ATHENA.MIT.EDU (Masataka Ohta)
Fri Nov 1 18:47:34 2013
Date: Sat, 02 Nov 2013 07:50:15 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20131101215423.32B5896C2C5@rock.dv.isc.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Mark Andrews wrote:
>> It is a lot simpler and a lot more practical just to
>> use shared secret between a CPE and a ISP's name server
>> for TSIG generation.
>
> No it isn't. It requires a human to transfer the secret to the CPE
> device or to register the secret with the ISP.
Not necessarily. When the CPE is configured through DHCP (or
PPP?), the ISP can send the secret.
> I'm talking about just building this into CPE devices and having it
> just work with no human involvement.
See above.
Involving DNSSEC here is overkill and unnecessarily introduce
vulnerabilities.
Masataka Ohta
