Hello Attila
Actually, with a switch right out of the box, the domain name is indeed NULL. However, if you don’t change anything on the switch, it will adopt the domain name of the first VTP message it receives. So right out of the box, VTP is not in a very secure state.
Yes this is indeed true, and by setting up a random VTP domain with a password on each switch, you can ensure that VTP messages will not be relayed. In my opinion, this solution is a little bit over the top. What I mean is, the administrative overhead needed for the solution is a bigger problem than the issue it resolves. Simply setting all switches to transparent as a best practice should be more than enough to ensure that you’re “safe” from the possible problems introduced. For me, I’d be more prone to make a mistake trying to ensure each switch has a different VTP domain rather than simply setting everything up as transparent.
Your approach is not incorrect, and if it works for you, go for it. The other option that I’d like to point out is that VTP version 3 has the ability to disable VTP completely using the vtp mode off command. This command essentially is the same as the transparent mode, but the switch doesn’t forward VTP messages. For me, if VTP version 3 is available, this is the best option.
I hope this has been helpful!
Laz