Hi Ted, Since you discussed about SIG0 during my presentation and you thought that SIG0 is easier to use than cga-tsig. Here I would like to just add some points to what Andrew mentioned as a response to you during my presentation.
Problems with SIG0: - It is unable to provide the proof of IP address ownership so it is not really a good solution, especially, for the authentication of resolvers to clients or authoritative to recursive resolvers. So, It cannot prevent IP spoofing (doesn't sign the IP address). - It doesn't support automatic solution after first configuration while in cga-tsig, this is considered. - You need to generate key pairs offline and store it on DNS server. Cga-tsig can generate the key pairs on-the-fly. - In most cases cga-tsig considered for the scenario where the network supports SeND. This means that the DNS server doesn't necessarily involve in CGA generation. It only use the CGA parameters which are stored in cache. This is similar to the case where the node doesn't support cga. As I also explained during my presentation, In this scenario the node can use a script to generate CGA and then the CGA values will be available for use in cga-tsig algorithm. Thanks, -----------smile---------- Hosnieh . success is a journey, not a destination.. You cannot change your destination overnight, but you can change your direction ... Focus on the journey _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
