On Wed, 22 Dec 2010, Stuart Cheshire wrote:
FWIW, Apple's code on Mac OS X uses TSIG for secure updates. You enter the
credentials in the "Sharing" preferences pane. What the user-interface people
chose to label "User" and "Password" are in reality the TSIG key name and the
TSIG key data. They felt that most users wouldn't know what TSIG meant, and
it was better to have something familar (but wrong) rather than something
unfamilar (but correct). Sorry.
BIND allows pretty flexible configurations to control which keys are
authorized to update what records.
What I'm saying is that having to manually pre-configure the hostname
in DNS goes against what appears to be one of the main DNS-SD goals,
i.e., the host can invent the hostname or use it in a zero-conf
fashion.
I don't think it's possible to integrate DNS-SD with secure DNS
without losing at least some of the properties DNS-SD was designed to
address. So it would be unrealistic to require this from the
protocol, especially given its background.
What I would have wanted to see is more truth in advertising how in
practise using security impedes the use of DNS-SD. Which usage modes
of DNS-SD can be made to work and at what cost.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf