In message <20131102002035.963BA96D853@rock.dv.isc.org>, Mark Andrews writes:
In message <52743027.7050203@necom830.hpcl.titech.ac.jp>, Masataka Ohta write s:
Mark Andrews wrote:
It is a lot simpler and a lot more practical just to use shared secret between a CPE and a ISP's name server for TSIG generation.
No it isn't. It requires a human to transfer the secret to the CPE device or to register the secret with the ISP.
Not necessarily. When the CPE is configured through DHCP (or PPP?), the ISP can send the secret.
Which can be seen, in many cases, by other parties which is why I discounted plain TSIG key exchanges over DHCP years ago regardless of which side send the key material.
Now you could do a DH key exchange over DHCP then do a encrypted TSIG key exchange. This however also requires a encrypted key exchange of the TSIG with the nameserver. The DHCP server could do this with TKEY. Note a full DH key exhange is not strictly required. The CPE could just send a public key and the DHCP server could encrypt the TSIG secret using it when replying.
I'm talking about just building this into CPE devices and having it just work with no human involvement.
See above.
Involving DNSSEC here is overkill and unnecessarily introduce vulnerabilities.
You do realise that you can use KEY records without DNSSEC. The KEY record is in the zone to be updated so it is implictly trusted.
Masataka Ohta
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org