My three points that I made:
1) if the key resides in the CPE, then the ISP-owned CPE deployment
is functionally identical to the Mark-Andrews/Michael-Richardson owned CPE
deployment.
=> perhaps the underlying worry is that unless CPE-borne DNSSEC isn't
the default/only-choice, that ISPs won't support it, and those of us that
care
will, again, be left in the cold.
There is significant precedent that given a choice, ISP have made
poor choices, and some of those choices have become architectural
catatrophies.I agree with Mark: there is no issue with replacement of CPEs, etc. I don't think that I would move the private key from one CPE to another. For the reverse zone, just a new private key and populate that. For a forward zone that I owned, I would push a new DS record upwards. The likely reason for a new CPE is that the blue smoke got out of the old one. If the models were compatible, and I had a backup of the config, then perhaps the private key would move, but that seems doubtful for most users. 2) what Andrew Sullivan said: if the keys are different for inside the home vs for outside the home, then any mobile node will get confused and/or will have to flush it's DNS cache way too often. 3) the perpass/National-Security-Letter situation. If the key by default resides at the ISP, then it is the ISP that gets served when some agency thinks it wants to divert traffic by changing DNS, and once served, the net may may be much larger than desired. By putting the key in the CPE, the legal papers will have to specify that device. It may still be the ISP legal department that responds, but the chance of screwing up is larger. While it seems like the ISP might be better able to protect a single private key against various vulnerability; having more technical people than the average home user, etc... the impact of a compromise is so much larger. Yes, home routers have vulnerabilities: if we assume that they are breachable, then the breach can just change the unsigned data, having the private key at the ISP doesn't help us at all. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting for hire =-
pgp6XuySP8wIj.pgp
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
