On Aug 15, 2011, at 9:27 PM, Brian E Carpenter wrote:
As long as that process is at least as secure as DNSSEC, so that
DNSSEC is not compromised, that is certainly an alternative.
However, it makes DHCPv6 mandatory for automatic renumbering.
That may be a "political" decision as well as a technical one.

"As secure as DNSSEC" is not always the required level of security.   For 
instance, at my office, roaming laptops can provide a name which is used to 
update a DNS record in a well-known zone.   However, they cannot insert 
arbitrary records—just A and/or AAAA records.   And they cannot insert them 
into arbitrary zones.   So the security requirements here are substantially 
less stringent than they would be in the case that a client had a key that 
allowed it to do arbitrary updates to a zone.

As for the political layer, I don't really see the problem.   If people want 
DNS updates, there's going to be some kind of mechanism for it.   If they 
don't, it's not a problem.   Presumably in environments where autoconfig is the 
rule, either clients have keys with which to update the DNS, or else they do 
not need to update the DNS (e.g., they are using mdns or Bonjour, and do not 
need a globally-visible name).

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to