[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reverse DNS RFCs and Recommendations



Mark Andrews wrote:

>> You misunderstand very basic points on why forward and reverse
>> DNS checking is useful.
>>
>> If an attacker can snoop DHCP reply packet to a victim's CPE, the
>> attacker can snoop any packet to a victim's server, which is
>> already bad.
> 
> The DHCP reply packet is special as is is broadcasted.

What?

Rfc3315 is explicit on it:

   18.2.8. Transmission of Reply Messages

   The Reply message MUST be unicast
   through the interface on which the original message was received.

>> That is, Mark's security model is broken only to introduce
>> obscurity with worse security.
> 
> This is a about adding a delegation into the DNS securely so only
> the machine that the prefix is delegated to and the ISP can update
> it.  There are a number of reasons to want to do this securely from
> both the ISP side and the customer side regardless of whether you
> secure the DNS responses themselves.

And carrying TSIG key in DHCP reply is just secure from the both sides.

						Masataka Ohta