"Steven M. Bellovin" wrote: > > In message <[EMAIL PROTECTED]>, Simon Josefsson writes: > >Of course, everything fails if you ALSO get your DNSSEC root key from > >the DHCP server, but in this case you shouldn't expect to be secure. > >I wouldn't be surprised if some people suggest pushing the DNSSEC root > >key via DHCP though, because alas, getting the right key into the > >laptop in the first place is a difficult problem. > > > > I can pretty much guarantee that the IETF will never standardize that, > except possibly in conjunction with authenticated dhcp. > Would this be the DHCP working group that on at least 2 occasions when I was there, insisted that secure DHCP wouldn't require a secret, since DHCP isn't supposed to require "configuration"?
And all I was proposing at the time was username, challenge, MD5-hash response (very CHAP-like). They can configure ARP addresses for "security", but having both the user and administrator configure a per host secret was apparently out of the question. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32