Havard said:
...which brings me to think if it isn't so that Secure DNS (at least as currently specified) and widespread deployment of NAT boxes which fiddle with the contents of DNS reply/request packets isn't exactly a properly working combination. As I understand it you can have NAT or Secure DNS with e.g. signed A records but you can't (easily?) have both.
This is a misdirected concern. DNS clients inside a NAT cloud are already proscribed from seeing DNS data from other NAT clouds or from the Internet itself. The NAT technology has to strip off DNSSEC stuff when it imports data but it tends to strip off DNS delegation and authority data as well, and tends to alter the address and mail exchange records. NAT borders are already DNS endpoints, with or without DNSSEC. Whether and how to regenerate external DNS inside a NAT cloud is a matter of NAT implementation, but the fact that it's _regenerated_, not forwarded or recursed, is a design constant.
(While I have replied to Paul, this raving is for everyones general amusment. - bill) I think this is correct. However, this line of thinking when seen in the light of end2end IPSEC seems to indicate that NAT/Firewall technologies mandate a regenerated security "envelope" at the NAT/Firwall edge. This tends to be what corporations/governments want, while others tend toward the endpoints being indivdually oriented. I, for one, (and I expect I'm in the minority here) don't want to hand my keys over to BBSS, Sprint, GTE, WCOM, the FBI, the Governement of France... so they can decrypt the packets that I am sending to you. So, while I agree that NAT/Firewall techniques are an approch to dealing with heirarchy/scaling issues, I think that MJR was right. NAT/Firewalls are bandaids to be used until we have reasonable endsystem/endsystem IP security. If you really buy off on the catanet arguement, then there is no need to reuse IP. FIDOnet, TCP on PPPover(mediaofchoice), DECnet adnausa are available and you win with application transparency. Jumping through all those hoops to make NATs work "seamlessly" is a glittering bauble. Lots of interesting knots to go untangle as folks rework and undo one of the basic assumptions behind IP which is a single, common addressing space. And its really an admission of failure. Too many people saying, "Its too hard to make true end2end work, (even across the existant IP (thats IPv4 for you Sean) space) so we must carve it up into tiny bits that each party can claim as their very own." Buying into NATs dooms people to live in thier private hells. Embrace Brigadoon. --bill