On Aug 15, 2011, at 9:27 PM, Brian E Carpenter wrote: As long as that process is at least as secure as DNSSEC, so that DNSSEC is not compromised, that is certainly an alternative. However, it makes DHCPv6 mandatory for automatic renumbering. That may be a "political" decision as well as a technical one.
"As secure as DNSSEC" is not always the required level of security. For instance, at my office, roaming laptops can provide a name which is used to update a DNS record in a well-known zone. However, they cannot insert arbitrary records—just A and/or AAAA records. And they cannot insert them into arbitrary zones. So the security requirements here are substantially less stringent than they would be in the case that a client had a key that allowed it to do arbitrary updates to a zone. As for the political layer, I don't really see the problem. If people want DNS updates, there's going to be some kind of mechanism for it. If they don't, it's not a problem. Presumably in environments where autoconfig is the rule, either clients have keys with which to update the DNS, or else they do not need to update the DNS (e.g., they are using mdns or Bonjour, and do not need a globally-visible name).
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
