In message <52743027.7050...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes: > Mark Andrews wrote: > > >> It is a lot simpler and a lot more practical just to > >> use shared secret between a CPE and a ISP's name server > >> for TSIG generation. > > > > No it isn't. It requires a human to transfer the secret to the CPE > > device or to register the secret with the ISP. > > Not necessarily. When the CPE is configured through DHCP (or > PPP?), the ISP can send the secret.
Which can be seen, in many cases, by other parties which is why I discounted plain TSIG key exchanges over DHCP years ago regardless of which side send the key material. > > I'm talking about just building this into CPE devices and having it > > just work with no human involvement. > > See above. > > Involving DNSSEC here is overkill and unnecessarily introduce > vulnerabilities. You do realise that you can use KEY records without DNSSEC. The KEY record is in the zone to be updated so it is implictly trusted. > Masataka Ohta -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
