[166627] in North American Network Operators' Group
Re: Reverse DNS RFCs and Recommendations
daemon@ATHENA.MIT.EDU (Mark Andrews)
Fri Nov 1 20:21:19 2013
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Sat, 02 Nov 2013 07:50:15 +0900."
<52743027.7050203@necom830.hpcl.titech.ac.jp>
Date: Sat, 02 Nov 2013 11:20:35 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <52743027.7050203@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Mark Andrews wrote:
>
> >> It is a lot simpler and a lot more practical just to
> >> use shared secret between a CPE and a ISP's name server
> >> for TSIG generation.
> >
> > No it isn't. It requires a human to transfer the secret to the CPE
> > device or to register the secret with the ISP.
>
> Not necessarily. When the CPE is configured through DHCP (or
> PPP?), the ISP can send the secret.
Which can be seen, in many cases, by other parties which is why I
discounted plain TSIG key exchanges over DHCP years ago regardless
of which side send the key material.
> > I'm talking about just building this into CPE devices and having it
> > just work with no human involvement.
>
> See above.
>
> Involving DNSSEC here is overkill and unnecessarily introduce
> vulnerabilities.
You do realise that you can use KEY records without DNSSEC. The
KEY record is in the zone to be updated so it is implictly trusted.
> Masataka Ohta
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
