On Mar 4, 2014, at 4:59 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > As Mark said, if it's an ISP provided zone, then pushing the new DS is done > under the TSIG key that the DHCP established. (So, > ted-lemon-house.isp.example.net, > and the reverse map).
Oh, so the TSIG key sent in the clear over DHCP is the attack surface. Got it. Actually during the DHC working group presentation, we asked Daniel to take the TSIG key out because it's not secure. The right way to do it is with SIG(0). But that doesn't provide a way to repudiate a lost key, because it relies on a leap of faith to begin trusting the initial key. If the connection between the DHCP server and DHCP client is secure, then a nonce sent over DHCP could be used along with SIG(0) to assist, but this is not the only potential configuration. Trusting the wire works pretty well in these scenarios in practice, but only if there _is_ a wire. _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet