In message <[email protected]>, Michael Richardson writes: > Mark the other part is the update-reverse-zone-by-TCP DNS update, > authorized by TCP. You've talked about this. Do you think we need a > dnsext action to permit this, or any kind of document outside of > homenet?
Given the I implemented this years ago in BIND and that you can do unauthenticated updates over TCP the answer would be no. That said putting this in a BCP is another matter entirely. Dynamic updates to the reverse zones SHOULD be done homenet equipement. It SHOULD be possible to configure a TSIG keys (plural) to authenticate dynamic updates of reverse zones. TSIG keys should be used to authenticate the update if configured. If TSIG keys are not configured the update SHOULD be performed over TCP not UDP. This is to permit the server to use the TCP connection as a weak authentication mechanism. The update code should check for the presence of CNAME and DNAME records at the well know reverse names and adjust the update requests to update the target names of the CNAME / DNAME records. This allows for RFC 2317 style delegations to work. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
