[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reverse DNS RFCs and Recommendations



In message <20131102002035.963BA96D853 at rock.dv.isc.org>, Mark Andrews writes:
> 
> In message <52743027.7050203 at necom830.hpcl.titech.ac.jp>, Masataka Ohta write
> s:
> > Mark Andrews wrote:
> > 
> > >> It is a lot simpler and a lot more practical just to
> > >> use shared secret between a CPE and a ISP's name server
> > >> for TSIG generation.
> > > 
> > > No it isn't.  It requires a human to transfer the secret to the CPE
> > > device or to register the secret with the ISP.
> > 
> > Not necessarily. When the CPE is configured through DHCP (or
> > PPP?), the ISP can send the secret.
> 
> Which can be seen, in many cases, by other parties which is why I
> discounted plain TSIG key exchanges over DHCP years ago regardless
> of which side send the key material.

Now you could do a DH key exchange over DHCP then do a encrypted
TSIG key exchange.  This however also requires a encrypted key
exchange of the TSIG with the nameserver.  The DHCP server could
do this with TKEY.

Note a full DH key exhange is not strictly required.  The CPE could
just send a public key and the DHCP server could encrypt the TSIG
secret using it when replying.

> > > I'm talking about just building this into CPE devices and having it
> > > just work with no human involvement.
> > 
> > See above.
> > 
> > Involving DNSSEC here is overkill and unnecessarily introduce
> > vulnerabilities.
> 
> You do realise that you can use KEY records without DNSSEC.  The
> KEY record is in the zone to be updated so it is implictly trusted.
> 
> > 						Masataka Ohta
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org