In message <3f8bc7c4-ee7a-41d0-9d21-e13c25321...@nominum.com>, Ted Lemon writes
:
> On Aug 15, 2011, at 9:27 PM, Brian E Carpenter wrote:
> As long as that process is at least as secure as DNSSEC, so that
> DNSSEC is not compromised, that is certainly an alternative.
> However, it makes DHCPv6 mandatory for automatic renumbering.
> That may be a "political" decision as well as a technical one.
> 
> "As secure as DNSSEC" is not always the required level of security.   For i=
> nstance, at my office, roaming laptops can provide a name which is used to =
> update a DNS record in a well-known zone.   However, they cannot insert arb=
> itrary records=97just A and/or AAAA records.   And they cannot insert them =
> into arbitrary zones.   So the security requirements here are substantially=
>  less stringent than they would be in the case that a client had a key that=
>  allowed it to do arbitrary updates to a zone.

There is also two zones to update and different security requirement for
different types.  TCP is often sufficient authentication for PTR records
in the reverse zone, where as TSIG/SIG(0) is needed for AAAA/A updates in
the forward zone.
 
> As for the political layer, I don't really see the problem.   If people wan=
> t DNS updates, there's going to be some kind of mechanism for it.   If they=
>  don't, it's not a problem.   Presumably in environments where autoconfig i=
> s the rule, either clients have keys with which to update the DNS, or else =
> they do not need to update the DNS (e.g., they are using mdns or Bonjour, a=
> nd do not need a globally-visible name).
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to