1 Nov
2013
1 Nov
'13
6:50 p.m.
Mark Andrews wrote:
It is a lot simpler and a lot more practical just to use shared secret between a CPE and a ISP's name server for TSIG generation.
No it isn't. It requires a human to transfer the secret to the CPE device or to register the secret with the ISP.
Not necessarily. When the CPE is configured through DHCP (or PPP?), the ISP can send the secret.
I'm talking about just building this into CPE devices and having it just work with no human involvement.
See above. Involving DNSSEC here is overkill and unnecessarily introduce vulnerabilities. Masataka Ohta