Mark Andrews wrote: >> It is a lot simpler and a lot more practical just to >> use shared secret between a CPE and a ISP's name server >> for TSIG generation. > > No it isn't. It requires a human to transfer the secret to the CPE > device or to register the secret with the ISP.
Not necessarily. When the CPE is configured through DHCP (or PPP?), the ISP can send the secret. > I'm talking about just building this into CPE devices and having it > just work with no human involvement. See above. Involving DNSSEC here is overkill and unnecessarily introduce vulnerabilities. Masataka Ohta