On Sun, Nov 02, 1997 at 11:12:50PM -0500, Alan Hannan wrote:
Does anyone wish to correct me? I'm a pretty decent thinker, but it's possible I may misunderstand some specifics, I'm _not_ a DNSSEC or NAT mechanic.
I am not intimate with the internals of DNSSEC to comment on the interoperability with NATs at this time.
As such, I wouldn't question your assertion. I do, however, question this premise as being directly relevant to the advancement of NAT use in the internet infrastructure.
Well, let's look at that.
It is likely that the scaling properties of the internet will demand a change in the lower level protocols.
When this happens, the higher layer protocols (like DNSSEC) will have to be reworked.
So DNSSEC gets broken. Fix DNSSEC after we fix the infrastructure.
With NAT you can subdivide the network to many orders of growth. The sum work saved by doing this vastly outweighs the work required to adapt DNSSEC.
Well, I don't know as where that's necessarily true, and as I noted in a private reply to someone else on this, there's a trend to make fundamental architectural changes in the net with, I think, too little attention to how many assumptions will get broken, there. An analogy is in order here. A few years back, someone had the bright idea that tires, which are incredibly difficult to recycle effectively, might be well used as filler in manufacturing asphalt to pave roads. Apparently, however, insufficient testing was performed... as the roads started _catching on fire_. Changes as fundamental as breaking the assumptions currently safe about end-to-end connectivity and routability in something as pervasive and mission critical as the Internet Backbone (ie: the collective capacity of the 26 or so current commercial and government backbones) merit _extensive_ real-world testing.
For example, the root name system could interoperate with the NAT machines in a controlled manner. No, it's not a trivial task. However, isn't it easier than renumbering the entire address space and putting more space into the problem?
Not necessarily. What would be required here would be for a given nameserver to query a NAT server for the appropriate translation, put _that_ address is it's response, and sign the result, avoiding the necessity of the layer 3 NAT box to poke into the layer 4 DNS response. And, of course, then the DNS server is professing to be authoritative for the NAT server... and trust isn't necessarily commutative. I agree with Paul; we've dragged this out about as far as it will go; let's adjourn further discussions to the NOD list, shall we? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592