Dear Suresh, Would you please update the audience with this answer Question : We can save public key and do not need to use CGA-TSIG Answer : An attacker can also copy that public key to his own packet and then update the legitimate host Resource Records on DNS. But CGA provides this binding with the IP address thus preventing an attacker from doing that because the verification will fail. And if we plan to save the public/private keys manually, for each hosts that joins to the network, we return back to using TSIG with its manual process that this draft is supposed to solve.
Question: Just one IP is bound to one host name. What if the host has more than one IP address? Answer: I will add a flag to CGA-TSIG that shows the number of IP addresses this host has. For example, if hosta wants to update its RRs related to the first IP address, then it sets that flag to 1 but if there is no matching hostname on the DNS RR, it accepts that. Finally I would like to ask for adoption of this draft in Intarea working group. Thank you Hosnieh
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
