Mark Andrews wrote:
You misunderstand very basic points on why forward and reverse DNS checking is useful.
If an attacker can snoop DHCP reply packet to a victim's CPE, the attacker can snoop any packet to a victim's server, which is already bad.
The DHCP reply packet is special as is is broadcasted.
What? Rfc3315 is explicit on it: 18.2.8. Transmission of Reply Messages The Reply message MUST be unicast through the interface on which the original message was received.
That is, Mark's security model is broken only to introduce obscurity with worse security.
This is a about adding a delegation into the DNS securely so only the machine that the prefix is delegated to and the ISP can update it. There are a number of reasons to want to do this securely from both the ISP side and the customer side regardless of whether you secure the DNS responses themselves.
And carrying TSIG key in DHCP reply is just secure from the both sides. Masataka Ohta