In message <3f8bc7c4-ee7a-41d0-9d21-e13c25321...@nominum.com>, Ted Lemon writes : > On Aug 15, 2011, at 9:27 PM, Brian E Carpenter wrote: > As long as that process is at least as secure as DNSSEC, so that > DNSSEC is not compromised, that is certainly an alternative. > However, it makes DHCPv6 mandatory for automatic renumbering. > That may be a "political" decision as well as a technical one. > > "As secure as DNSSEC" is not always the required level of security. For i= > nstance, at my office, roaming laptops can provide a name which is used to = > update a DNS record in a well-known zone. However, they cannot insert arb= > itrary records=97just A and/or AAAA records. And they cannot insert them = > into arbitrary zones. So the security requirements here are substantially= > less stringent than they would be in the case that a client had a key that= > allowed it to do arbitrary updates to a zone.
There is also two zones to update and different security requirement for different types. TCP is often sufficient authentication for PTR records in the reverse zone, where as TSIG/SIG(0) is needed for AAAA/A updates in the forward zone. > As for the political layer, I don't really see the problem. If people wan= > t DNS updates, there's going to be some kind of mechanism for it. If they= > don't, it's not a problem. Presumably in environments where autoconfig i= > s the rule, either clients have keys with which to update the DNS, or else = > they do not need to update the DNS (e.g., they are using mdns or Bonjour, a= > nd do not need a globally-visible name). -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
