The thing is that most devices don't connect to just one network. So while your devices on your network can certainly trust port 853 on your network, when they roam to other networks, they have no reason to trust it. If you have devices that never roam to other networks, that's fine, but we have to design for the more general case. There's no way with DHCP for the device to tell that it's connected to a particular network, other than matching IP addresses, which isn't a great idea.
On Sat, Aug 18, 2018 at 8:54 PM, Paul Vixie <[email protected]> wrote: > my threat model is intruders or eavesdroppers on the path between me and > my rdns. i'd like the dhcp announcement to include a tcp/853 signal along > with a pre-shared key or the hash thereof. the benefit would be that if my > rdns network path is less secure than my dhcp network path, i'll improve > the former by not using traditional udp/53. does that help? >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
