Hi Tony, Thank you for your comment.
Maybe I should clarify this: Authentication of DHCP messages between the DHCP Client and the DHCP Server is accomplished through the use of the Authentication option. IPsec can be used between DHCP Relays and DHCP Servers. We also need to clarify how IPsec and DHCP interact in the case of remote VPN clients. You are right saying root KSK is probably better managed than any other KSKs as well as other trusted communications. But 1) we are not only concerned by the root KSK. The root KSK is crucial for DNSSEC, however, it is not the only cause of failures. Other KSKs may also provide DNSSEC validation failures. 2) we have no control on KSK operations. As I mentioned earlier, in the case of the root zone end users whose DNSSEC validation fails will not call IANA, but our hot lines. The key difference between the DHCP bootstrap and DNSSEC boostrap is that ISPs have no influence on DNSSEC key roll overs, whereas we manage DHCP Server bootstrap. Best Regards, Daniel On Tue, Oct 22, 2013 at 11:42 AM, Tony Finch <[email protected]> wrote: > Paul Wouters <[email protected]> wrote: > > > > I am a little worried to bring this into the DHCP layer. While the > > document makes statements about only accepting trust anchors when > > the DHCP server is "trusted", when thinking about CPE equipment, old > > handhelds, etc, there is no such trust relationship. (I'm also not very > > familiar with what a "trust relationship" is between a DHCP server and > > client?) > > The draft talks vaguely about IPSEC, which immediately sets off my wishful > thinking alarm bells and reminds me of 1990s security considerations > sections. More specifically, how is the client supposed to set up a > security association with the DHCP server when it doesn't have an IP > address? This is supposed to help with bootstrapping, right? How can the > client bootstrap its trust in the DHCP server in a way that is less likely > to expire than the root trust anchor? > > Tony. > -- > f.anthony.n.finch <[email protected]> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at > first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or > good, > occasionally poor at first. > -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
